Product SiteDocumentation Site

Chapter 8. Authentication Configuration

8.1. The Authentication Configuration Tool
8.1.1. Identity & Authentication
8.1.2. Advanced Options
8.1.3. Command Line Version
8.2. The System Security Services Daemon (SSSD)
8.2.1. What is SSSD?
8.2.2. SSSD Features
8.2.3. Setting Up SSSD
8.2.4. Configuring Services
8.2.5. Configuring Domains
8.2.6. Setting Up Kerberos Authentication
8.2.7. Troubleshooting
8.2.8. SSSD Configuration File Format

8.1. The Authentication Configuration Tool

When a user logs in to a Red Hat Enterprise Linux system, the username and password combination must be verified, or authenticated, as a valid and active user. Sometimes the information to verify the user is located on the local system, and other times the system defers the authentication to a user database on a remote system.
The Authentication Configuration Tool provides a graphical interface for configuring user information retrieval from Lightweight Directory Access Protocol (LDAP), Network Information Service (NIS), and Winbind user account databases. This tool also allows you to configure Kerberos to be used as the authentication protocol when using LDAP or NIS.

Note

If you configured a medium or high security level during installation (or with the Security Level Configuration Tool), then the firewall will prevent NIS authentication. For more information about firewalls, refer to the "Firewalls" section of the Red Hat Enterprise Linux 6 Security Guide.
To start the graphical version of the Authentication Configuration Tool from the desktop, click SystemAdministrationAuthentication or type the command system-config-authentication at a shell prompt (for example, in an XTerm or a GNOME terminal).

Important

After exiting the authentication program, any changes you made take effect immediately.

8.1.1. Identity & Authentication

The Identity & Authentication tab allows you to configure how users should be authenticated, and has several options for each method of authentication. To select which user account database should be used, select an option from the drop-down list.
Identity & Authentication; changing the option in the User Account Database drop-down list changes the contents of the tab.
Figure 8.1. Identity & Authentication; changing the option in the User Account Database drop-down list changes the contents of the tab.

The following list explains what each option configures:

LDAP

The LDAP option instructs the system to retrieve user information via LDAP. It contains the following specifications:
  • LDAP Search Base DN — Specifies that user information should be retrieved using the listed Distinguished Name (DN).
  • LDAP Server — Specifies the address of the LDAP server.
  • Use TLS to encrypt connections — When enabled, Transport Layer Security (TLC) will be used to encrypt passwords sent to the LDAP server. The Download CA Certificate option allows you to specify a URL from which to download a valid Certificate Authority certificate (CA). A valid CA certificate must be in the Privacy Enhanced Mail (PEM) format.

    Important

    The Use TLS to encrypt connections option must not be ticked if an ldaps:// server address is specified in the LDAP Server field.
    For more information about CA Certificates, refer to Section 11.6.1, “An Overview of Certificates and Security”.
The openldap-clients package must be installed for this option to work.
LDAP provides the following methods of authentication:
  • Kerberos password — This option enables Kerberos authentication. It contains the following specifications:
    • Realm — Configures the realm for the Kerberos server. The realm is the network that uses Kerberos, composed of one or more KDCs and a potentially large number of clients.
    • KDCs — Defines the Key Distribution Centers (KDC), which are servers that issue Kerberos tickets.
    • Admin Servers — Specifies the administration server(s) running kadmind.
    The Kerberos Settings dialog also allows you to use DNS to resolve hosts to realms and locate KDCs for realms.
    The krb5-libs and krb5-workstation packages must be installed for this option to work. For more information about Kerberos, refer to section Using Kerberos of the Red Hat Enterprise Linux 6 Managing Single Sign-On and Smart Cards guide.
  • LDAP password — This option instructs standard PAM-enabled applications to use LDAP authentication with options specified in the User Account Configuration of LDAP. When using this option, you must provide an ldaps:// server address or use TLS for LDAP authentication.

Note

The SSSD service is used as a client for LDAP and Kerberos servers. Thus, offline login is enabled and supported by default. No user interaction is needed to set up the SSSD service with the Authentication Configuration Tool. For more information about the SSSD service, refer to Section 8.2, “The System Security Services Daemon (SSSD)”

NIS

The NIS option configures the system to connect to a NIS server (as an NIS client) for user and password authentication. To configure this option, specify the NIS domain and NIS server. If the NIS server is not specified, the daemon attempts to find it via broadcast.
The ypbind package must be installed for this option to work. If the NIS user account databse is used, the portmap and ypbind services are started and are also enabled to start at boot time.
For more information about NIS, refer to section "Securing NIS" of the Red Hat Enterprise Linux 6 Security Guide.
NIS provides the following methods of authentication:
  • Kerberos password — This option enables Kerberos authentication. For more information about configuration of the Kerberos authentication method, refer to the previous section on LDAP.
  • NIS password — This option enables NIS authentication. NIS can provide authentication information to outside processes to authenticate users.

Winbind

The Winbind option configures the system to connect to a Windows Active Directory or a Windows domain controller. User information from the specified directory or domain controller can then be accessed, and server authentication options can be configured. It contains the following specifications:
  • Winbind Domain — Specifies the Windows Active Directory or domain controller to connect to.
  • Security Model — Allows you to select a security model, which configures the Samba client mode of operation. The drop-down list allows you to select any of the following:
    • ads — This mode instructs Samba to act as a domain member in an Active Directory Server (ADS) realm. To operate in this mode, the krb5-server package must be installed, and Kerberos must be configured properly.
    • domain — In this mode, Samba will attempt to validate the username/password by authenticating it through a Windows NT Primary or Backup Domain Controller, similar to how a Windows NT Server would.
    • server — In this mode, Samba will attempt to validate the username/password by authenticating it through another SMB server (for example, a Windows NT Server). If the attempt fails, the user mode will take effect instead.
    • user — This is the default mode. With this level of security, a client must first log in with a valid username and password. Encrypted passwords can also be used in this security mode.
  • Winbind ADS Realm — When the ads Security Model is selected, this allows you to specify the ADS Realm the Samba server should act as a domain member of.
  • Winbind Domain Controllers — Use this option to specify which domain controller winbind should use.
  • Template Shell — When filling out the user information for a Windows NT user, the winbindd daemon uses the value chosen here to to specify the login shell for that user.
  • Allow offline login — By checking this option, you allow authentication information to be stored in a local cache (provided by SSSD). This information is then used when a user attempts to authenticate while offline.
Winbind provides only one method of authentication, Winbind password. This method of authentication uses the options specified in the User Account Configuration of Winbind to connect to a Windows Active Directory or a Windows domain controller.

8.1.2. Advanced Options

This tab allows you to configure advanced options, as listed below.
Advanced Options
Figure 8.2. Advanced Options

Local Authentication Options

  • Enable fingerprint reader support — By checking this option, you enable fingerprint authentication to log in by scanning your finger with the fingerprint reader.
  • Enable local access control — When enabled, /etc/security/access.conf is consulted for authorization of a user.
  • Password Hashing Algorithm — This option lets you specify which hashing or cryptographic algorithm should be used to encrypt locally stored passwords.

Other Authentication Options

Create home directories on the first login — When enabled, the user's home directory is automatically created when they log in if it does not already exist.

Smart Card Authentication Options

Enable smart card support — This option enables smart card authentication. Smart card authentication allows you to log in using a certificate and a key associated with a smart card.
When the Enable smart card support option is checked, the following options can be specified:
  • Card Removal Action — This option defines what action the system performs when the card is removed from the card reader during an active session. Two alternatives are available:
    • Ignore — The card removal is ignored and the system continues to function as normal.
    • Lock — The current session is immediately locked.
  • Require smart card login — Requires the user to login and authenticate with a smart card. It essentially disables any other type of password authentication. This option should not be selected until after you have successfully logged in using a smart card.
The pam_pkcs11 and the coolkey packages must be installed for this option to work. For more information about smart cards, refer to the Red Hat Enterprise Linux 6 Managing Single Sign-On and Smart Cards guide.

Note

You can restore all of the options specified in the Authentication Configuration Tool to the previous configuration setup by clicking Revert.

8.1.3. Command Line Version

The Authentication Configuration Tool also supports a command line interface. The command line version can be used in a configuration script or a kickstart script. The authentication options are summarized in Table 8.1, “Command Line Options”.

Tip

These options can also be found in the authconfig man page or by typing authconfig --help at the shell prompt.
Table 8.1. Command Line Options
Option Description
--enableshadow, --useshadow Enable shadow passwords
--disableshadow Disable shadow passwords
--passalgo=<descrypt|bigcrypt|md5|sha256|sha512> Hash/crypt algorithm to be used
--enablenis Enable NIS for user account configuration
--disablenis Disable NIS for user account configuration
--nisdomain=<domain> Specify an NIS domain
--nisserver=<server> Specify an NIS server
--enableldap Enable LDAP for user account configuration
--disableldap Disable LDAP for user account configuration
--enableldaptls Enable use of TLS with LDAP
--disableldaptls Disable use of TLS with LDAP
--enablerfc2307bis Enable use of RFC-2307bis schema for LDAP user information lookups
--disablerfc2307bis Disable use of RFC-2307bis schema for LDAP user information lookups
--enableldapauth Enable LDAP for authentication
--disableldapauth Disable LDAP for authentication
--ldapserver=<server> Specify an LDAP server
--ldapbasedn=<dn> Specify an LDAP base DN (Distinguished Name)
--ldaploadcacert=<URL> Load a CA certificate from the specified URL
--enablekrb5 Enable Kerberos for authentication
--disablekrb5 Disable Kerberos for authentication
--krb5kdc=<server> Specify Kerberos KDC server
--krb5adminserver=<server> Specify Kerberos administration server
--krb5realm=<realm> Specify Kerberos realm
--enablekrb5kdcdns Enable use of DNS to find Kerberos KDCs
--disablekrb5kdcdns Disable use of DNS to find Kerberos KDCs
--enablekrb5realmdns Enable use of DNS to find Kerberos realms
--disablekrb5realmdns Disable use of DNS to find Kerberos realms
--enablewinbind Enable winbind for user account configuration
--disablewinbind Disable winbind for user account configuration
--enablewinbindauth Enable winbindauth for authentication
--disablewinbindauth Disable winbindauth for authentication
--winbindseparator=<\> Character used to separate the domain and user part of winbind usernames if winbindusedefaultdomain is not enabled
--winbindtemplatehomedir=</home/%D/%U> Directory that winbind users have as their home
--winbindtemplateprimarygroup=<nobody> Group that winbind users have as their primary group
--winbindtemplateshell=</bin/false> Shell that winbind users have as their default login shell
--enablewinbindusedefaultdomain Configures winbind to assume that users with no domain in their usernames are domain users
--disablewinbindusedefaultdomain Configures winbind to assume that users with no domain in their usernames are not domain users
--winbindjoin=<Administrator> Joins the winbind domain or ADS realm as the specified administrator
--enablewinbindoffline Configures winbind to allow offline login
--disablewinbindoffline Configures winbind to prevent offline login
--smbsecurity=<user|server|domain|ads> Security mode to use for the Samba and Winbind services
--smbrealm=<realm> Default realm for Samba and Winbind services when security is set to ads
--enablewins Enable Wins for hostname resolution
--disablewins Disable Wins for hostname resolution
--enablesssd Enable SSSD for user information
--disablesssd Disable SSSD for user information
--enablecache Enable nscd
--disablecache Disable nscd
--enablelocauthorize Local authorization is sufficient for local users
--disablelocauthorize Local users are also authorized through a remote service
--enablesysnetauth Authenticate system accounts with network services
--disablesysnetauth Authenticate system accounts with local files only
--enablepamaccess Check /etc/security/access.conf during account authorization
--disablepamaccess Do not check /etc/security/access.conf during account authorization
--enablemkhomedir Create a home directory for a user on the first login
--disablemkhomedir Do not create a home directory for a user on the first login
--enablesmartcard Enable authentication with a smart card
--disablesmartcard Disable authentication with a smart card
--enablerequiresmartcard Require smart card for authentication
--disablerequiresmartcard Do not require smart card for authentication
--smartcardmodule=<module> Default smart card module to use
--smartcardaction=<0=Lock|1=Ignore> Action to be taken when smart card removal is detected
--enablefingerprint Enable fingerprint authentication
--disablefingerprint Disnable fingerprint authentication
--nostart Do not start or stop the portmap, ypbind, or nscd services even if they are configured
--test Do not update the configuration files, only print the new settings
--update, --kickstart Opposite of --test, update configuration files with changed settings
--updateall Update all configuration files
--probe Probe and display network defaults
--savebackup=<name> Save a backup of all configuration files
--restorebackup=<name> Restore a backup of all configuration files
--restorelastbackup Restore the backup of configuration files saved before the previous configuration change