Authentication Configuration
Fermi Notes
Fermi Kerberos is selected and correctly configured by default. Do not
change this unless you know what you are doing.
Most workgroups automatically setup the correct authentication method for you.
Installation Help
You can skip this section if you will not be setting up network passwords. If
you are unsure, ask your system administrator for assistance.
Kerberos 5 has been preconfigured for Fermilab's Kerberos
enviroment. Please do not change it's settings unless you are planning on
being in a different Kerberos Realm.
Unless you are setting up an NIS password, you will notice
that both MD5 and shadow are
selected. Using both will make your system as secure as possible.
-
Enable MD5 Passwords - allows a long password
to be used (up to 256 characters).
-
Use Shadow Passwords - provides a very secure
method of retaining passwords for you.
-
Enable NIS
allows you to run a group of
computers in the same Network Information Service domain with a
common password and group file. There are two options here to choose from:
Note: To configure the NIS option, you must be
connected to an NIS network. If you are unsure whether you are
connected to an NIS network, please ask your system administrator.
-
NIS Domain - this option allows you to
specify which domain or group of computers your system will
belong to.
-
NIS Server - this option causes your
computer to use a specific NIS server, rather than
"broadcasting" a message to the local area network asking for
any available server to host your system.
-
Enable LDAP
LDAP consolidates certain
types of information within your organization. There are three
options to choose from here:
-
LDAP Server - this option allows you to
access a server running the LDAP protocol.
-
LDAP Base DN - this option allows you to
look up user information by its Distinguished
Name (DN).
-
Use TLS (Transport Layer
Security) lookups - this option
allows LDAP to send encrypted user names and passwords to an LDAP
server before authentication.
-
Enable Kerberos
Kerberos is a secure
system for providing network authentication services. There are
three options to choose from here:
-
Realm - this option allows you to access a
network that uses Kerberos, composed of one or a few servers
(also known as KDCs) and a (potentially very large) number of
clients.
Fermilab's Realm is FNAL.GOV
-
KDC - this option allows you access to the
Key Distribution Center (KDC), a machine
that issues Kerberos tickets (sometimes called a
Ticket Granting Server or TGS).
Fermilab's
KDC's are krb-fnal-1.fnal.gov:88 krb-fnal-2.fnal.gov:88
krb-fnal-3.fnal.gov:88 krb-fnal-4.fnal.gov:88 krb-fnal-5.fnal.gov:88
-
Admin Server - this option allows you to
access a server running kadmind.
Fermilab's admin server is krb-fnal-admin.fnal.gov
-
Enable SMB Authentication
Sets up
PAM to use an SMB server to authenticate users. You must supply two
pieces of information here:
- SMB Server - Indicates which
SMB server your workstation will connect to for
authentication.
- SMB Workgroup - Indicates which
workgroup the configured SMB servers are in.
