Académique Documents
Professionnel Documents
Culture Documents
Prev Next
Chapter 19. Authentication Configuration
When a user logs in to a Red Hat Enterprise Linux system, the username
and password combination must be verified, or authenticated, as a valid
and active user. Sometimes the information to verify the user is located on
the local system, and other times the system defers the authentication to a
user database on a remote system.
The Authentication Configuration Tool provides a graphical interface for
configuring NIS, LDAP, and Hesiod to retrieve user information as well as
for configuring LDAP, Kerberos, and SMB as authentication protocols.
Note
If you configured a medium or high security level during installation or
with the Security Level Configuration Tool, network authentication
methods, including NIS and LDAP, are not allowed through the firewall.
This chapter does not explain each of the different authentication types in
detail. Instead, it explains how to use the Authentication Configuration
Tool to configure them. For more information about the specific
authentication types, refer to the Red Hat Enterprise Linux Reference
Guide.
To start the graphical version of the Authentication Configuration Tool
from the desktop, select the Main Menu Button (on the Panel) => System
Settings => Authentication or type the command system-config-
authentication at a shell prompt (for example, in an XTerm or a GNOME
terminal). To start the textbased version, type the command authconfig
as root at a shell prompt.
Important
After exiting the authentication program, the changes made take effect
immediately.
19.1. User Information
The User Information tab has several options. To enable an option,
click the empty checkbox beside it. To disable an option, click the
checkbox beside it to clear the checkbox. Click OK to exit the program
and apply the changes.
Figure 191. User Information
The following list explains what each option configures:
• Enable NIS Support — Select this option to configure the
system as an NIS client which connects to an NIS server for
user and password authentication. Click the Configure NIS
button to specify the NIS domain and NIS server. If the NIS
server is not specified, the daemon attempts to find it via
broadcast.
The ypbind package must be installed for this option to work. If
NIS support is enabled, the portmap and ypbind services are
started and are also enabled to start at boot time.
• Enable LDAP Support — Select this option to configure the
system to retrieve user information via LDAP. Click the
Configure LDAP button to specify the LDAP Search Base DN
and LDAP Server. If Use TLS to encrypt connections is
selected, Transport Layer Security is used to encrypt
passwords sent to the LDAP server.
The openldapclients package must be installed for this
option to work.
For more information about LDAP, refer to the Red Hat
Enterprise Linux Reference Guide.
• Enable Hesiod Support — Select this option to configure the
system to retrieve information from a remote Hesiod database,
including user information.
The hesiod package must be installed.
• Winbind — Select this option to configure the system to
connect to a Windows Active Directory or a Windows domain
controller. User information can be accessed, as well as server
authentication options can be configured.
• Cache User Information — Select this option to enable the
name service cache daemon (nscd) and configure it to start at
boot time.
The nscd package must be installed for this option to work.
Additional Resources Up Authentication
Red Hat Enterprise Linux 4: System
Administration Guide
Chapter 19. Authentication
Prev Configuration Next
19.2. Authentication
The Authentication tab allows for the configuration of network
authentication methods. To enable an option, click the empty checkbox
beside it. To disable an option, click the checkbox beside it to clear the
checkbox.
Figure 192. Authentication
The following explains what each option configures:
• Enable Kerberos Support — Select this option to enable Kerberos
authentication. Click the Configure Kerberos button to configure:
o Realm — Configure the realm for the Kerberos server. The
realm is the network that uses Kerberos, composed of one or
more KDCs and a potentially large number of clients.
o KDC — Define the Key Distribution Center (KDC), which is
the server that issues Kerberos tickets.
o Admin Servers — Specify the administration server(s)
running kadmind.
The krb5-libs and krb5-workstation packages must be installed for
this option to work. Refer to the Red Hat Enterprise Linux
Reference Guide for more information on Kerberos.
• Enable LDAP Support — Select this option to have standard PAM
enabled applications use LDAP for authentication. Click the Configure
LDAP button to specify the following:
o Use TLS to encrypt connections — Use Transport Layer
Security to encrypt passwords sent to the LDAP server.
o LDAP Search Base DN — Retrieve user information by its
Distinguished Name (DN).
o LDAP Server — Specify the IP address of the LDAP server.
The openldap-clients package must be installed for this option to
work. Refer to the Red Hat Enterprise Linux Reference Guide for
more information about LDAP.
• Use Shadow Passwords — Select this option to store passwords in
shadow password format in the /etc/shadow file instead of
/etc/passwd. Shadow passwords are enabled by default during
installation and are highly recommended to increase the security of
the system.
The shadow-utils package must be installed for this option to work.
For more information about shadow passwords, refer to the Users
and Groups chapter in the Red Hat Enterprise Linux Reference
Guide.
• Enable SMB Support — This option configures PAM to use an SMB
server to authenticate users. Click the Configure SMB button to
specify:
o Workgroup — Specify the SMB workgroup to use.
o Domain Controllers — Specify the SMB domain controllers
to use.
• Winbind — Select this option to configure the system to connect to a
Windows Active Directory or a Windows domain controller. User
information can be accessed, as well as server authentication
options can be configured.
• Use MD5 Passwords — Select this option to enable MD5
passwords, which allows passwords to be up to 256 characters
instead of eight characters or less. It is selected by default during
installation and is highly recommended for increased security.
Authentication Up Command Line Version
Configuration
Red Hat Enterprise Linux 4: System
Administration Guide
Chapter 19. Authentication
Prev Configuration Next
19.3. Command Line Version
The Authentication Configuration Tool can also be run as a command
line tool with no interface. The command line version can be used in a
configuration script or a kickstart script. The authentication options are
summarized in Table 191.
Tip
These options can also be found in the authconfig man page or by
typing authconfig --help at a shell prompt.
Option Description
--enableshadow Enable shadow passwords
--disableshadow Disable shadow passwords
--enablemd5 Enable MD5 passwords
--disablemd5 Disable MD5 passwords
--enablenis Enable NIS
--disablenis Disable NIS
--nisdomain=<domain> Specify NIS domain
--nisserver=<server> Specify NIS server
--enableldap Enable LDAP for user
information
--disableldap Disable LDAP for user
information
--enableldaptls Enable use of TLS with LDAP
Option Description
--disableldaptls Disable use of TLS with LDAP
--enableldapauth Enable LDAP for
authentication
--disableldapauth Disable LDAP for
authentication
--ldapserver=<server> Specify LDAP server
--ldapbasedn=<dn> Specify LDAP base DN
--enablekrb5 Enable Kerberos
--disablekrb5 Disable Kerberos
--krb5kdc=<kdc> Specify Kerberos KDC
--krb5adminserver=<server> Specify Kerberos
administration server
--krb5realm=<realm> Specify Kerberos realm
--enablekrb5kdcdns Enable use of DNS to find
Kerberos KDCs
--disablekrb5kdcdns Disable use of DNS to find
Option Description
Kerberos KDCs
--enablekrb5realmdns Enable use of DNS to find
Kerberos realms
--disablekrb5realmdns Disable use of DNS to find
Kerberos realms
--enablesmbauth Enable SMB
--disablesmbauth Disable SMB
--smbworkgroup=<workgroup> Specify SMB workgroup
--smbservers=<server> Specify SMB servers
--enablewinbind Enable winbind for user
information by default
--disablewinbind Disable winbind for user
information by default
--enablewinbindauth Enable winbindauth for
authentication by default
--disablewinbindauth Disable winbindauth for
authentication by default
--smbsecurity=<user|server|domain|ads> Security mode to use for
Option Description
Samba and winbind
--smbrealm=<STRING> Default realm for Samba and
winbind when security=ads
--smbidmapuid=<lowest-highest> UID range winbind assigns to
domain or ADS users
--smbidmapgid=<lowest-highest> GID range winbind assigns to
domain or ADS users
--winbindseparator=<\> Character used to separate
the domain and user part of
winbind usernames if
winbindusedefaultdomain is
not enabled
--winbindtemplatehomedir=</home/%D/%U> Directory that winbind users
have as their home
--winbindtemplateprimarygroup=<nobody> Group that winbind users have
as their primary group
--winbindtemplateshell=</bin/false> Shell that winbind users have
as their default login shell
--enablewinbindusedefaultdomain Configures winbind to assume
that users with no domain in
their usernames are domain
Option Description
users
--disablewinbindusedefaultdomain Configures winbind to assume
that users with no domain in
their usernames are not
domain users
--winbindjoin=<Administrator> Joins the winbind domain or
ADS realm now as this
administrator
--enablewins Enable WINS for hostname
resolution
--disablewins Disable WINS for hostname
resolution
--enablehesiod Enable Hesiod
--disablehesiod Disable Hesiod
--hesiodlhs=<lhs> Specify Hesiod LHS
--hesiodrhs=<rhs> Specify Hesiod RHS
--enablecache Enable nscd
--disablecache Disable nscd
Option Description
--nostart Do not start or stop the
portmap, ypbind, or nscd
services even if they are
configured
kickstart Do not display the user
interface
probe Probe and display network
defaults
Table 191. Command Line Options
Authentication Up System Configuration