3.4.6 About Kerberos Authentication

Both LDAP and NIS authentication optionally support Kerberos authentication. (In the case of IPA, Kerberos is fully integrated.) Kerberos provides a secure connection over standard ports, and it also allows offline logins by using credential caching with SSSD.

To be able to use Kerberos authentication, use yum to install the krb5-libs and krb5-workstation packages.

If you use the Authentication Configuration GUI and select LDAP or NIS as the user account database, select Kerberos password as the authentication method. You are prompted for the following information that is required to connect to the Kerberos realm:

  • The name of the Kerberos realm.

  • A comma-separated list of Key Distribution Center (KDC) servers that can issue Kerberos tickets.

  • A comma-separated list of Kerberos Administration Servers.

You can also select whether Kerberos should use DNS to resolve the host names of Kerberos servers and to search for KDCs within the realm. DNS domains are typically coterminous with Kerberos realms.

You can use the following options with the authconfig command to configure Kerberos authentication with LDAP or NIS:

--enablekrb5

Use Kerberos authentication. (Specify instead of --enableldapauth for LDAP.)

--enablekrb5kdcdns

Use DNS to resolve the host names of Kerberos servers.

--enablekrb5realmdns

Use DNS to search for KDCs within a Kerberos realm.

--krb5adminserver=server

Specify a Kerberos Administration Server.

--krb5kdc=server

Specify a KDC server.

--krb5realm=realm

Specify the name of the Kerberos realm.

For more information, see the authconfig(8) manual page.