Kerberos Authentication

Introduction
This guide describes simple Kerberos user authentication. It is expected that Kerberos servers have been previously setup and tested before continuing with this guide.

USE Flags

 * - Adds kerberos support
 * - Addes krb5 support to pam

Installation
To start off, you'll need to install the Kerberos 5 PAM Authentication Module:

Kerberos Configuration
The default already gives a pretty good guideline on how to configure the  file. At this point, you will need to know where on your network your Kerberos servers are. When finished, your should look similar to the following:

Of course, you would want to replace every instance of "EXAMPLE.ORG" with an appropriate domain.

Authenticating
After logging in as the user that will be authenticating against your Kerberos servers, run the "kinit" command and enter the Kerberos password for the user:

in which case you'll see something like the following:

Password for user@EXAMPLE.ORG:

The kinit command will obtain and cache the initial ticket-granting ticket (TGT). You can use the "klist" command:

to view what credentials are currently in the cache.

Providing the previous commands ran successfully, the Kerberos configuration is now complete.

Hostname canonicalization error
You may receive an error similar to this one upon a failed login:

pam_krb5(sshd:auth): (user xxxxx) credential verification failed: Hostname cannot be canonicalized

This error is a result of a missing FQDN hostname for localhost missing in your /etc/hosts file. Adding a FQDN in the form of  should resolve this issue, and allow logins.