Introduction

A DAS client is simply any host that is configured to use the DAS servers for authentication and user information. In our lab, the DAS client hosts happen to be shared resources that any researcher in the group can use. Our DAS clients support console logins, SSH logins, and optionally support Kerberized RLOGIN(eklogin) and Kerberized RSH (kshell). This can be used together with Apache and Perl Kerberos modules to setup a Single Sign On (SSO) or quasi-SSO environment. The first goal, however, is simply to unify and cetralize usernames, passwords, password policies, and UID/GID numbers throughout the network.

It may be helpful to take a look at what happens when a DAS user logs in to a DAS client host:


Login Sequence Diagram

Implementation Differences

On every DAS client, there are tasks that need to be done. This is complicated by the fact that different OS's vary in their implementations of the client software. The most difficult configuration task on the various clients is setting up the PAM configurations. It seems that every type of Unix-like OS that supports PAM has its own unique way of configuring PAM and the associated Kerb 5 modules. This was by far the most time-consuming portion of client configuration.

Heimdal vs. MIT Kerberos on the clients also creates some compatibility issues. For example, I could configure a SuSE client to do everything I wanted except use the kpasswd command. At first, I thought this was a Heimdal issue, but FreeBSD ships with Heimdal and had no problems using kpasswd.


The Name Service Cache Daemon (nscd)

Another component of the DAS system is nscd, which is only configured on DAS clients. It caches both positive and negative name lookups in order to improve performance and reduce the load on both network and servers. Most DAS client operating systems include nscd. The configuration file is called /etc/nscd.conf, but the default values rarely need to be changed.

NSCD caches any type of name lookup, including NIS, DNS, and LDAP. For more information, look at the following man pages:


Functionality

Certain functions are known to work correctly with DAS (NIS + Kerberos clients) and a DAS client host. Here is a list of those things that should work:

Things that do NOT work / work perfectly:


Configuration Tasks

Every client needs the same basic configuration tasks. Although the implemenation details vary, the basic tasks are all the same:

  1. Make sure prerequisites like IP networking and DNS records are configured
  2. Install and/or update software
  3. Configure NIS client
  4. Configure Kerb 5 client
  5. Configure PAM
  6. Start DAS client services and configure to start automatically after boot
  7. Make sure time synchronization is configured
  8. Test the client
  9. Tighten security