Chapter 13. Configuring Authentication
13.1. Configuring System Authentication
13.1.1. Launching the Authentication Configuration Tool UI
- Log into the system as root.
- Open the.
- Select themenu.
- Select theitem.
- Identity & Authentication, which configures the resource used as the identity store (the data repository where the user IDs and corresponding credentials are stored).
- Advanced Options, which allows authentication methods other than passwords or certificates, like smart cards and fingerprint.
13.1.2. Selecting the Identity Store for Authentication
Figure 13.1. Local Authentication
22.214.171.124. Configuring LDAP Authentication
- Select User Account Database drop-down menu.in the
- Set the information that is required to connect to the LDAP server.
- LDAP Search Base DN gives the root suffix or distinguished name (DN) for the user directory. All of the user entries used for identity/authentication will exist below this parent entry. For example, ou=people,dc=example,dc=com.This field is optional. If it is not specified, then the System Security Services Daemon (SSSD) attempts to detect the search base using the
defaultNamingContextattributes in the LDAP server's configuration entry.
- LDAP Server gives the URL of the LDAP server. This usually requires both the host name and port number of the LDAP server, such as ldap://ldap.example.com:389.Entering the secure protocol in the URL,
ldaps://, enables the button.
- Use TLS to encrypt connections sets whether to use Start TLS to encrypt the connections to the LDAP server. This enables a secure connection over a standard port.Selecting TLS enables thebutton, which retrieves the issuing CA certificate for the LDAP server from whatever certificate authority issued it. The CA certificate must be in the privacy enhanced mail (PEM) format.
ImportantDo not select Use TLS to encrypt connections if the server URL uses a secure protocol (
ldaps). This option uses Start TLS, which initiates a secure connection over a standard port; if a secure port is specified, then a protocol like SSL must be used instead of Start TLS.
- Select the authentication method. LDAP allows simple password authentication or Kerberos authentication.Using Kerberos is described in Section 126.96.36.199, “Using Kerberos with LDAP or NIS Authentication”.The LDAP password option uses PAM applications to use LDAP authentication. This option requires either a secure (
ldaps://) URL or the TLS option to connect to the LDAP server.
188.8.131.52. Configuring NIS Authentication
- Install the ypbind package. This is required for NIS services, but is not installed by default.
~]# yum install ypbindWhen the
ypbindservice is installed, the
ypbindservices are started and enabled to start at boot time.
- Select User Account Database drop-down menu.in the
- Set the information to connect to the NIS server, meaning the NIS domain name and the server host name. If the NIS server is not specified, the
authconfigdaemon scans for the NIS server.
- Select the authentication method. NIS allows simple password authentication or Kerberos authentication.Using Kerberos is described in Section 184.108.40.206, “Using Kerberos with LDAP or NIS Authentication”.
220.127.116.11. Configuring Winbind Authentication
- Install the samba-winbind package. This is required for Windows integration features in Samba services, but is not installed by default.
~]# yum install samba-winbind
- Select User Account Database drop-down menu.in the
- Set the information that is required to connect to the Microsoft Active Directory domain controller.
- Winbind Domain gives the Windows domain to connect to.This should be in the Windows 2000 format, such as
- Security Model sets the security model to use for Samba clients.
authconfigsupports four types of security models:
- ads configures Samba to act as a domain member in an Active Directory Server realm. To operate in this mode, the krb5-server package must be installed and Kerberos must be configured properly. Also, when joining to the Active Directory Server using the command line, the following command must be used:
net ads join
- domain has Samba validate the user name/password by authenticating it through a Windows primary or backup domain controller, much like a Windows server.
- server has a local Samba server validate the user name/password by authenticating it through another server, such as a Windows server. If the server authentication attempt fails, the system then attempts to authenticate using
- user requires a client to log in with a valid user name and password. This mode does support encrypted passwords.The user name format must be domain\user, such as
NoteWhen verifying that a given user exists in the Windows domain, always use Windows 2000-style formats and escape the backslash (\) character. For example:
~]# getent passwd domain\\user DOMAIN\user:*:16777216:16777216:Name Surname:/home/DOMAIN/user:/bin/bashThis is the default option.
- Winbind ADS Realm gives the Active Directory realm that the Samba server will join. This is only used with the ads security model.
- Winbind Domain Controllers gives the domain controller to use. For more information about domain controllers, see Section 18.104.22.168, “Domain Controller”.
- Template Shell sets which login shell to use for Windows user account settings.
- Allow offline login allows authentication information to be stored in a local cache. The cache is referenced when a user attempts to authenticate to system resources while the system is offline.
Winbindservice, see Section 21.1.2, “Samba Daemons and Related Services”.
Winbindand troubleshooting tips, see the Knowledgebase on the Red Hat Customer Portal.
Winbind Mapperutility that generates a part of the
smb.conffile to help you connect a Red Hat Enterprise Linux to an Active Directory.
22.214.171.124. Using Kerberos with LDAP or NIS Authentication
- It uses a security layer for communication while still allowing connections over standard ports.
- It automatically uses credentials caching with SSSD, which allows offline logins.
Figure 13.2. Kerberos Fields
- Realm gives the name for the realm for the Kerberos server. The realm is the network that uses Kerberos, composed of one or more key distribution centers (KDC) and a potentially large number of clients.
- KDCs gives a comma-separated list of servers that issue Kerberos tickets.
- Admin Servers gives a list of administration servers running the
kadmindprocess in the realm.
- Optionally, use DNS to resolve server host name and to find additional KDCs within the realm.
13.1.3. Configuring Alternative Authentication Features
Figure 13.3. Advanced Options
126.96.36.199. Using Fingerprint Authentication
188.8.131.52. Setting Local Authentication Parameters
- Enable local access control instructs the
/etc/security/access.conffile to check for local user authorization rules.
- Password Hashing Algorithm sets the hashing algorithm to use to encrypt locally-stored passwords.
184.108.40.206. Enabling Smart Card Authentication
- Card Removal Action tells the system how to respond when the card is removed from the card reader during an active session. A system can either ignore the removal and allow the user to access resources as normal, or a system can immediately lock until the smart card is supplied.
- Require smart card login sets whether a smart card is required for logins or allowed for logins. When this option is selected, all other methods of authentication are immediately blocked.
WarningDo not select this option until you have successfully authenticated to the system using a smart card.
220.127.116.11. Creating User Home Directories
13.1.4. Configuring Authentication from the Command Line
authconfigcommand-line tool updates all of the configuration files and services required for system authentication, according to the settings passed to the script. Along with allowing all of the identity and authentication configuration options that can be set through the UI, the
authconfigtool can also be used to create backup and kickstart files.
authconfigoptions, check the help output and the man page.
18.104.22.168. Tips for Using authconfig
- With every command, use either the
--testoption. One of those options is required for the command to run successfully. Using
--updatewrites the configuration changes.
--testprints the changes to stdout but does not apply the changes to the configuration.
- Each enable option has a corresponding disable option.
22.214.171.124. Configuring LDAP User Stores
--enableldap. To use LDAP as the authentication source, use
--enableldapauthand then the requisite connection information, like the LDAP server name, base DN for the user suffix, and (optionally) whether to use TLS. The
authconfigcommand also has options to enable or disable RFC 2307bis schema for user entries, which is not possible through the Authentication Configuration UI.
ldaps) and the port number. Do not use a secure LDAP URL (
ldaps) with the
authconfig --enableldap --enableldapauth --ldapserver=ldap://ldap.example.com:389,ldap://ldap2.example.com:389 --ldapbasedn="ou=people,dc=example,dc=com" --enableldaptls --ldaploadcacert=https://ca.server.example.com/caCert.crt --update
--ldapauthfor LDAP password authentication, it is possible to use Kerberos with the LDAP user store. These options are described in Section 126.96.36.199, “Configuring Kerberos Authentication”.
188.8.131.52. Configuring NIS User Stores
--enablenis. This automatically uses NIS authentication, unless the Kerberos parameters are explicitly set, so it uses Kerberos authentication (Section 184.108.40.206, “Configuring Kerberos Authentication”). The only parameters are to identify the NIS server and NIS domain; if these are not used, then the
authconfigservice scans the network for NIS servers.
authconfig --enablenis --nisdomain=EXAMPLE --nisserver=nis.example.com --update
220.127.116.11. Configuring Winbind User Stores
authconfig --enablewinbind --enablewinbindauth --smbsecurity=user|server --enablewinbindoffline --smbservers=ad.example.com --smbworkgroup=EXAMPLE --update
authconfig --enablewinbind --enablewinbindauth --smbsecurity ads --enablewinbindoffline --smbservers=ad.example.com --smbworkgroup=EXAMPLE --smbrealm EXAMPLE.COM --winbindtemplateshell=/bin/sh --update
18.104.22.168. Configuring Kerberos Authentication
authconfig NIS or LDAP options --enablekrb5 --krb5realm EXAMPLE --krb5kdc kdc.example.com:88,server.example.com:88 --krb5adminserver server.example.com:749 --enablekrb5kdcdns --enablekrb5realmdns --update
22.214.171.124. Configuring Local Authentication Settings
authconfig --enablemkhomedir --update
authconfig --passalgo=sha512 --update
126.96.36.199. Configuring Fingerprint Authentication
authconfigsettings, like LDAP user stores.
~]# authconfig --enablefingerprint --update
188.8.131.52. Configuring Smart Card Authentication
~]# authconfig --enablesmartcard --update
~]# authconfig --enablesmartcard --smartcardaction=0 --update
~]# authconfig --enablerequiresmartcard --update
--enablerequiresmartcardoption until you have successfully authenticated to the system using a smart card. Otherwise, users may be unable to log into the system.
184.108.40.206. Managing Kickstart and Configuration Files
--updateoption updates all of the configuration files with the configuration changes. There are a couple of alternative options with slightly different behavior:
--kickstartwrites the updated configuration to a kickstart file.
--testprints the full configuration, with changes, to stdout but does not edit any configuration files.
authconfigcan be used to back up and restore previous configurations. All archives are saved to a unique subdirectory in the
/var/lib/authconfig/directory. For example, the
--savebackupoption gives the backup directory as
~]# authconfig --savebackup=2011-07-01
--restorebackupoption, giving the name of the manually-saved configuration:
~]# authconfig --restorebackup=2011-07-01
authconfigautomatically makes a backup of the configuration before it applies any changes (with the
--updateoption). The configuration can be restored from the most recent automatic backup, without having to specify the exact backup, using the
13.1.5. Using Custom Home Directories
/homeand the system is configured to create home directories the first time users log in, then these directories are created with the wrong permissions.
- Apply the correct SELinux context and permissions from the
/homedirectory to the home directory that is created on the local system. For example:
~]# semanage fcontext -a -e /home /home/locale
- Install the oddjob-mkhomedir package on the system.This package provides the
pam_oddjob_mkhomedir.solibrary, which the Authentication Configuration Tool uses to create home directories. The
pam_oddjob_mkhomedir.solibrary, unlike the default
pam_mkhomedir.solibrary, can create SELinux labels.The Authentication Configuration Tool automatically uses the
pam_oddjob_mkhomedir.solibrary if it is available. Otherwise, it will default to using
- Make sure the
oddjobdservice is running.
- Re-run the Authentication Configuration Tool and enable home directories, as in Section 13.1.3, “Configuring Alternative Authentication Features”.
~]# semanage fcontext -a -e /home /home/locale # restorecon -R -v /home/locale