3.4 Configuring and Using Authentication

3.4.1 About Local Oracle Linux Authentication
3.4.2 About IPA
3.4.3 About LDAP Authentication
3.4.4 About NIS Authentication
3.4.5 About Winbind Authentication
3.4.6 About Kerberos Authentication

Authentication is the verification of the identity of a user. A user logs in by providing a user name and a password, and the operating system authenticates the user's identity by comparing this information to data stored on the system. If the login credentials match and the user account is active, the user is authenticated and can successfully access the system.

The information that verifies a user's identity can either be located on the local system in the /etc/passwd and /etc/shadow files, or on remote systems using Identity Policy Audit (IPA), the Lightweight Directory Access Protocol (LDAP), the Network Information Service (NIS), or Winbind. In addition, IPSv2, LDAP, and NIS data files can use the Kerberos authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

You can use the Authentication Configuration GUI (system-config-authentication) to select the authentication mechanism and to configure any associated authentication options. Alternatively, you can use the authconfig command. Both the Authentication Configuration GUI and authconfig adjust settings in the PAM configuration files that are located in the /etc/pam.d directory.

3.4.1 About Local Oracle Linux Authentication

You can use the User Manager GUI (system-config-users) to add or delete users and groups and to modify settings such as passwords, home directories, login shells, and group membership. Alternatively, you can use commands such as useradd and groupadd.

Unless you select a different authentication mechanism during installation or by using the Authentication Configuration GUI or the authconfig command, Oracle Linux verifies a user's identity by using the information that is stored in the /etc/passwd and /etc/shadow files.

The /etc/passwd file stores account information for each user such as his or her unique user ID (or UID, which is an integer), user name, home directory, and login shell. A user logs in using his or her user name, but the operating system uses the associated UID. When the user logs in, he or she is placed in his or her home directory and his or her login shell runs.

The /etc/group file stores information about groups of users. A user also belongs to one or more groups, and each group can contain one or more users. If you can grant access privileges to a group, all members of the group receive the same access privileges. Each group account has a unique group ID (GID, again an integer) and an associated group name.

Oracle Linux implements the user private group (UPG) scheme where adding a user account also creates a corresponding UPG with the same name as the user, and of which the user is the only member.

Only the root user can add, modify, or delete user and group accounts. By default, both users and groups use shadow passwords, which are cryptographically hashed and stored in /etc/shadow and /etc/gshadow respectively. These shadow password files are readable only by the root user. root can set a group password that a user must enter to become a member of the group by using the newgrp command. If a group does not have a password, a user can only join the group by root adding him or her as a member.

The /etc/login.defs file defines parameters for password aging and related security policies.

For more information about the content of these files, see the group(5), gshadow(5), login.defs(5), passwd(5), and shadow(5) manual pages.

3.4.2 About IPA

IPA allows you to set up a domain controller for DNS, Kerberos, and authorization policies as an alternative to Active Directory Services. You can enrol client machines with an IPA domain so that they can access information for single sign-on authentication. IPA combines the capabilities of existing well-known technologies such as certificate services, DNS, LDAP, Kerberos, LDAP, and NTP.

To be able to configure IPA authentication, use yum to install the ipa-client and ipa-admintools packages.

If you use the Authentication Configuration GUI and select IPA v2 as the user account database, you are prompted to enter the names of the IPA domain, realm, and server. You can also select to configure NTP so that the system time is consistent with the IPA server. If you have initialized Kerberos, you can click Join Domain to create a machine account on the IPA server and grant permission to join the domain.

For more information about configuring IPA, see http://freeipa.org/page/Documentation.

3.4.3 About LDAP Authentication

LDAP allows systems to access centrally stored information over a network. LDAP servers store the information in directory-based database that is optimized for searching. Directory entries are arranged in a hierarchical tree-like structure that can store a variety of information such as names, addresses, phone numbers, authentication data, network services, printers, and many other types of data. LDAP can also be used to authenticate users, allowing users to access their account from any machine on the LDAP network.

An entry is the basic unit of information within an LDAP directory. Each entry has one or more attributes. Each attribute has a name, a type or description, and one or more values. Examples of types are cn for common name and mail for an email address. In addition, the objectClass attribute allows you to control which attributes are required and which are optional. The values of objectClass determine the schema rules that an entry must obey.

Each entry in an LDAP directory is uniquely identified and referenced by its Distinguished Name (DN). The DN is constructed by taking the name of the entry itself (called the Relative Distinguished Name or RDN) and concatenating the names of its ancestor entries, known as the LDAP Search Base DN. For example, the DN for a user with an RDN of uid=gab451 might be similar to uid=gab451,ou=People,dc=mydomain,dc=com, where ou=People,dc=mydomain,dc=com is the LDAP Search base DN, ou stands for Organizational Unit and dc stands for Domain Component.

To be able to configure LDAP authentication, use yum to install the openldap-clients package.

If you use the Authentication Configuration GUI and select LDAP as the user account database, you are prompted to enter the LDAP Search Base DN and the URL of the LDAP server including the port number (for example, ldap://ldap-svr.mydomain.com:389).

You can configure LDAP to use either LDAP authentication or Kerberos authentication. LDAP authentication requires that you use either LDAP over SSL (ldaps) or Transport Layer Security (TLS) to secure the connection to the LDAP server. If you use TLS, you must enter the URL from which to download the CA certificate that provides the basis for authentication within the domain.

You can also enable and configure LDAP by using the authconfig command.

To use LDAP as the authentication source, specify the --enableldapauth option together with the full LDAP server URL (including the port number) and the LDAP Search Base DN, as shown in the following example:.

# authconfig --enableldap --enableldapauth \
  --ldapserver=ldap://ldap-svr.mydomain.com:389 \
  --ldapbasedn="ou=people,dc=mydomain,dc=com" \
  --update

If you want to use TLS, additionally specify the --enableldaptls option and the download URL of the CA certificate:

# authconfig --enableldap --enableldapauth \
  --ldapserver=ldap://ldap-svr.mydomain.com:389 \
  --ldapbasedn="ou=people,dc=mydomain,dc=com" \
  --enableldaptls \
  --ldaploadcacert=https://ca-server.mydomain.com/caCert.crt \
  --update 

For information about using Kerberos authentication with LDAP, see Section 3.4.6, “About Kerberos Authentication”.

For more information, see the authconfig(8) manual page.

For more information about LDAP, see the ldap(3) manual page.

3.4.4 About NIS Authentication

NIS stores administrative information such as user names, passwords, and host names on a centralized server. Client systems on the network can access this common data. This configuration allows to move from machine to machine without having to remember different passwords and copy data from one machine to another. Storing administrative information centrally, and providing a means of accessing it from networked systems, also ensures the consistency of that data. NIS also reduces the overhead of maintaining administration files such as /etc/passwd on each system.

A network of NIS systems is a NIS domain. Each system within the domain has the same NIS domain name, which is different from a DNS domain name. The DNS domain is used throughout the Internet to refer to a group of systems. A NIS domain is used to identify systems that use files on a NIS server. A NIS domain must have exactly one master server but can have multiple slave servers.

To be able to configure NIS authentication, use yum to install the yp-tools and ypbind packages.

If you use the Authentication Configuration GUI and select NIS as the user account database, you are prompted to enter the names of the NIS Domain and the NIS master server.

You can configure NIS to use either NIS authentication or Kerberos authentication.

Warning

NIS authentication is deprecated as it has security issues, including a lack of protection of authentication data.

For information about using Kerberos authentication with NIS, see Section 3.4.6, “About Kerberos Authentication”.

3.4.5 About Winbind Authentication

Winbind is a client-side service that resolves user and group information on a Windows server, and allows Oracle Linux to understand Windows users and groups. To be able to configure Winbind authentication, use yum to install the samba-winbind package. This package includes the winbindd daemon that implements the winbind service.

If you use the Authentication Configuration GUI and select Winbind as the user account database, you are prompted for the information that is required to connect to a Microsoft workgroup, Active Directory, or Windows NT domain controller. Enter the name of the Winbind domain and select the security model for the Samba server:

ads

In the Activity Directory Server (ADS) security model, Samba acts as a domain member in an ADS realm, and clients use Kerberos tickets for Active Directory authentication. You must configure Kerberos and join the server to the domain, which creates a machine account for your server on the domain controller.

domain

In the domain security model, the local Samba server has a machine account (a domain security trust account) and Samba authenticates user names and passwords with a domain controller in a domain that implements Windows NT4 security.

Warning

If the local machine acts as a Primary or Backup Domain Controller, do not use the domain security model. Use the user security model instead.

server

In the server security model, the local Samba server authenticates user names and passwords with another server, such as a Windows NT server.

Warning

The server security model is deprecated as it has numerous security issues.

user

In the user security model, a client must log in with a valid user name and password. This model supports encrypted passwords. If the server successfully validates the client's user name and password, the client can mount multiple shares without being required to specify a password.

Depending on the security model that you choose, you might also need to specify the following information:

  • The name of the ADS realm that the Samba server is to join (ADS security model only).

  • The names of the domain controllers. If there are several domain controllers, separate the names with spaces.

  • The login template shell to use for the Windows NT user account (ADS and domain security models only).

  • Whether to allow user authentication using information that has been cached by the System Security Services Daemon (SSSD) if the domain controllers are offline.

Your selection updates the security directive in the [global] section of the /etc/samba/smb.conf configuration file.

If you have initialized Kerberos, you can click Join Domain to create a machine account on the Active Directory server and grant permission for the Samba domain member server to join the domain.

You can also use the authconfig command to configure Winbind authentication. To use the user-level security models, specify the name of the domain or workgroup and the host names of the domain controllers. for example:

# authconfig --enablewinbind --enablewinbindauth --smbsecurity user \
  [--enablewinbindoffline] --smbservers="ad1.mydomain.com ad2.mydomain.com" \
  --smbworkgroup=MYDOMAIN --update

To allow user authentication using information that has been cached by the System Security Services Daemon (SSSD) if the domain controllers are offline, specify the --enablewinbindoffline option.

For the domain security model, additionally specify the template shell, for example:

# authconfig --enablewinbind --enablewinbindauth --smbsecurity domain \
  [--enablewinbindoffline] --smbservers="ad1.mydomain.com ad2.mydomain.com" \
  --smbworkgroup=MYDOMAIN --update --winbindtemplateshell=/bin/bash --update

For the ADS security model, additionally specify the ADS realm and template shell, for example:

# authconfig --enablewinbind --enablewinbindauth --smbsecurity ads \
  [--enablewinbindoffline] --smbservers="ad1.mydomain.com ad2.mydomain.com" \
  --smbworkgroup=MYDOMAIN --update --smbrealm MYDOMAIN.COM \
  --winbindtemplateshell=/bin/bash --update

For more information, see the authconfig(8) manual page.

3.4.6 About Kerberos Authentication

Both LDAP and NIS authentication optionally support Kerberos authentication. (In the case of IPA, Kerberos is fully integrated.) Kerberos provides a secure connection over standard ports, and it also allows offline logins by using credential caching with SSSD.

To be able to use Kerberos authentication, use yum to install the krb5-libs and krb5-workstation packages.

If you use the Authentication Configuration GUI and select LDAP or NIS as the user account database, select Kerberos password as the authentication method. You are prompted for the following information that is required to connect to the Kerberos realm:

  • The name of the Kerberos realm.

  • A comma-separated list of Key Distribution Center (KDC) servers that can issue Kerberos tickets.

  • A comma-separated list of Kerberos Administration Servers.

You can also select whether Kerberos should use DNS to resolve the host names of Kerberos servers and to search for KDCs within the realm. DNS domains are typically coterminous with Kerberos realms.

You can use the following options with the authconfig command to configure Kerberos authentication with LDAP or NIS:

--enablekrb5

Use Kerberos authentication. (Specify instead of --enableldapauth for LDAP.)

--enablekrb5kdcdns

Use DNS to resolve the host names of Kerberos servers.

--enablekrb5realmdns

Use DNS to search for KDCs within a Kerberos realm.

--krb5adminserver=server

Specify a Kerberos Administration Server.

--krb5kdc=server

Specify a KDC server.

--krb5realm=realm

Specify the name of the Kerberos realm.

For more information, see the authconfig(8) manual page.