Skip to toolbar
Select Page

This the purpose of this article is to describe a way of authorising and identifying users from the UoA domain on Linux machines.  Because of the generic approach it takes, using standard libraries, I expect that this guide could be followed on other distributions, however this has only been tested on Ubuntu.

This article provides UoA specific information to the guide provided here.


Before starting the process.  Kerberos REQUIRES that your machine have the same FORWARD and REVERSE DNS names.  At this time, this means that you have to put in an AskIT job to the ITS Windows Team to ask them to create an entry in the UOA DNS.  You will need to provide them with the DNS name and the IP.  Also, within Rincewind you will need to make sure your machine is named [machinename]

Install and configure kerberos

Install the Kerberos library and the associated PAM library, with the samba client that we use to create a machine account in the UoA domain.

sudo apt-get install libpam-krb5 krb5-user smbclient

When prompted type in UOA.AUCKLAND.AC.NZ as the domain.  Next try getting a ticket:

root@sc330954dsco36l:~# kinit drit008
Password for drit008@UOA.AUCKLAND.AC.NZ:

Then check to make sure you got it:

drit008@sc-crysprj-hd01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_346216_ahQcrD4249
Default principal: drit008@UOA.AUCKLAND.AC.NZ

Valid starting     Expires            Service principal
03/12/13 14:41:28  03/12/13 21:21:28  krbtgt/UOA.AUCKLAND.AC.NZ@UOA.AUCKLAND.AC.NZ

That shows we have a valid ticket in the UOA domain, and everything is working fine!  At this point we should update the krb5.conf configuration file.

Edit the file at /etc/krb5.conf, delete the current krb5, and replace it with this:

pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 2
try_first_pass = true
ignore_root = true
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

default_realm = UOA.AUCKLAND.AC.NZ
ticket_lifetime = 24000
dns_lookup_realm = true
dns_lookup_kdc = true
default_keytab_name = FILE:/etc/krb5.keytab

default_domain =
default_domain =
default_domain =
auth_to_local = DEFAULT

default = FILE:/var/log/krb5.log

Under domain realm, you associate servers or realms with the credentials that should be used to access them, for instance here, should be accessed with AD.EC (EC domain) tickets, and should be access with UOA tickets.

The next step is to add the machine account in the UoA domain.  Modify /etc/samba/smb.conf, and add at the top of the file:

  netbios name = *MACHINE NAME IN CAPITALS*
  workgroup = UOA
  security = ADS
  kerberos method = secrets and keytab

Remove all other instances of the values.

Comment out the lines in /etc/samba/smb.conf

workgroup = WORKGROUP


server string = %h server (Samba, Ubuntu)

Joining the domain

Join the machine to the domain, this creates a machine account in the UoA Active Directory, use the command sudo net ads join -U *UoA domain join account*:

drit008@sc-crysprj-hd01:~$ sudo net ads join -U drit008
[sudo] password for drit008:
Enter drit008's password:
Using short domain name -- UOA
Joined 'SC-CRYSPRJ-HD01' to realm ''

You may at this point get a “DNS update failed!”.  This is because you haven’t made sure that your DNS entries match.

Now make sure that your machine account can authenticate against the domain (replace SC-CRYS.. with the name of your machine, make sure to add $ on the end):

drit008@sc-crysprj-hd01:~$ sudo kinit -k -V ‘SC-CRYSPRJ-HD01$’ [sudo] password for drit008: Using default cache: /tmp/krb5cc_346216_ahQcrD4249 Using principal: SC-CRYSPRJ-HD01$@UOA.AUCKLAND.AC.NZ Authenticated to Kerberos v5

If you have issues here, make sure you are root (use sudo!), and that you have the default encryption types listed in the krb5.conf (as above).

To make sure there is a valid machine account ticket all the time I have implemented the following hack, edit crontab:

sudo crontab -e

And then add the following line:

0 * * * * kinit -k 'SC-CRYSPRJ-VM01$'

Install OpenLDAP and tools

Its handy to install the ldap tools to check authentication against the domain at this point, the following tools allow this, again install them via:

sudo apt-get install ldap-utils libsasl2-modules-gssapi-mit

Now modify /etc/ldap/ldap.conf (NOT /etc/ldap.conf), replace whats in there with:

BASE dc=uoa,dc=auckland,dc=ac,dc=nz
URI ldap://

You should be able to run “ldapsearch” at the command line now, assuming that you still have kerberos tickets.  If you do, you will pull the ENTIRE domain, so you will need to use Ctrl C to break it.

Install and configure nss_ldap and pam_ldap

Thats the name service switch ldap plugin and the plugin authentication module plugin:

sudo apt-get install libnss-ldap libpam-ldap

You will be asked for some information during the setup process:

  • LDAP server: ldap://
  • Distinguished name of the search base: dc=uoa,dc=auckland,dc=ac,dc=nz
  • LDAP version to use: 3
  • Make local root database admin: no
  • Does the database require login: no
  • Password hash: md5

Next copy the following above the ##DEBCONF## line in /etc/ldap.conf (NOT /etc/ldap/ldap.conf!), making sure to modify the sasl_host_id to your computername:

#debug 1

use_sasl on
sasl_auth_id host/
krb5_ccname FILE:/tmp/krb5cc_host
base dc=uoa,dc=auckland,dc=ac,dc=nz
uri ldap://
ldap_version 3
timelimit 30
bind_timelimit 30
tls_checkpeer no
referrals no
bind_policy soft

scope sub
nss_base_passwd dc=uoa,dc=auckland,dc=ac,dc=nz?&(objectClass=organizationalPerson)(memberof=CN=staff.sit,OU=sit,OU=Groups,DC=UoA,DC=auckland,DC=ac,DC=nz)
nss_base_shadow dc=uoa,dc=auckland,dc=ac,dc=nz?&(objectClass=organizationalPerson)(memberof=CN=staff.sit,OU=sit,OU=Groups,DC=UoA,DC=auckland,DC=ac,DC=nz)
nss_base_group dc=uoa,dc=auckland,dc=ac,dc=nz?sub

# Services for UNIX 3.5 mappings
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uniqueMember Member
#nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad

Lastly make sure that you modify these three lines in /etc/nsswitch.conf:

passwd: compat ldap
group: compat ldap
shadow: compat ldap

Your machine should now work after a reboot!  You could test to see if its ok by using “su *upi*” and seeing if you can become that user.

Additional steps for Unity

With newer Ubuntu versions, you have to contend with the login manager lightDM and the Unity window manager.

Add the following to /etc/lightdm/lightdm.conf in order to enable network logins via the login window.


Unity in 14.04

Edit /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf instead

Enabling Kerberos for OpenSSH Server

Inside /etc/ssh/sshd_config modify:

GSSAPIAuthentication yes
GSSAPIKeyExchange yes