Chapter 29. Authentication Configuration
When a user logs in to a Red Hat Enterprise Linux system, the username and password combination must be verified, or authenticated, as a valid and active user. Sometimes the information to verify the user is located on the local system, and other times the system defers the authentication to a user database on a remote system.
The Authentication Configuration Tool provides a graphical interface for configuring user information retrieval from NIS, LDAP, and Hesiod servers. This tool also allows you to configure LDAP, Kerberos, and SMB as authentication protocols.
Note
If you configured a medium or high security level during installation (or with the Security Level Configuration Tool), then the firewall will prevent NIS (Network Information Service) authentication.
This chapter does not explain each of the different authentication types in detail. Instead, it explains how to use the Authentication Configuration Tool to configure them.
To start the graphical version of the Authentication Configuration Tool from the desktop, select the System (on the panel) > > or type the command
system-config-authentication at a shell prompt (for example, in an XTerm or a GNOME terminal).
Important
After exiting the authentication program, the changes made take effect immediately.
29.1. User Information
The User Information tab allows you to configure how users should be authenticated, and has several options. To enable an option, click the empty checkbox beside it. To disable an option, click the checkbox beside it to clear the checkbox. Click to exit the program and apply the changes.
Figure 29.1. User Information
The following list explains what each option configures:
NIS
The Enable NIS Support option configures the system to connect to an NIS server (as an NIS client) for user and password authentication. Click the button to specify the NIS domain and NIS server. If the NIS server is not specified, the daemon attempts to find it via broadcast.
The
ypbind package must be installed for this option to work. If NIS support is enabled, the portmap and ypbind services are started and are also enabled to start at boot time.
For more information about NIS, refer to Section 48.2.3, “Securing NIS”.
LDAP
The Enable LDAP Support option instructs the system to retrieve user information via LDAP. Click the button to specify the following:
- LDAP Search Base DN — Specifies that user information should be retrieved using the listed Distinguished Name (DN).
- LDAP Server — Specifies the IP address of the LDAP server.
- Use TLS to encrypt connections — When enabled, Transport Layer Security will be used to encrypt passwords sent to the LDAP server. The option allows you to specify a URL from which to download a valid CA (Certificate Authority) Certificate. A valid CA Certificate must be in PEM (Privacy Enhanced Mail) format.For more information about CA Certificates, refer to Section 25.8.2, “An Overview of Certificates and Security”.
The
openldap-clients package must be installed for this option to work.
For more information about LDAP, refer to Chapter 28, Lightweight Directory Access Protocol (LDAP).
Hesiod
The Enable Hesiod Support option configures the system to retrieve information (including user information) from a remote Hesiod database. Click the button to specify the following:
- Hesiod LHS — Specifies the domain prefix used for Hesiod queries.
- Hesiod RHS — Specifies the default Hesiod domain.
The
hesiod package must be installed for this option to work.
For more information about Hesiod, refer to its man page using the command
man hesiod. You can also refer to the hesiod.conf man page (man hesiod.conf) for more information on LHS and RHS.
Winbind
The Enable Winbind Support option configures the system to connect to a Windows Active Directory or a Windows domain controller. User information from the specified directory or domain controller can then be accessed, and server authentication options can be configured. Click the button to specify the following:
- Winbind Domain — Specifies the Windows Active Directory or domain controller to connect to.
- Security Model — Allows you to select a security model, which configures how clients should respond to Samba. The drop-down list allows you select any of the following:
- user — This is the default mode. With this level of security, a client must first log in with a valid username and password. Encrypted passwords can also be used in this security mode.
- server — In this mode, Samba will attempt to validate the username/password by authenticating it through another SMB server (for example, a Windows NT Server). If the attempt fails, the user mode will take effect instead.
- domain — In this mode, Samba will attempt to validate the username/password by authenticating it through a Windows NT Primary or Backup Domain Controller, similar to how a Windows NT Server would.
- ads — This mode instructs Samba to act as a domain member in an Active Directory Server (ADS) realm. To operate in this mode, the
krb5-serverpackage must be installed, and Kerberos must be configured properly.
- Winbind ADS Realm — When the ads Security Model is selected, this allows you to specify the ADS Realm the Samba server should act as a domain member of.
- Winbind Domain Controllers — Use this option to specify which domain controller
winbindshould use. For more information about domain controllers, please refer to Section 22.6.3, “Domain Controller”. - Template Shell — When filling out the user information for a Windows NT user, the
winbindddaemon uses the value chosen here to to specify the login shell for that user.
For more information about the
winbind service, refer to winbindd under Section 22.2, “Samba Daemons and Related Services”.
