Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-16388: What are the recommend settings for SSO regarding .k5login file in an environment where home directories are NFS mounted?

Authentication Service ,  

24 September,19 at 10:11 PM

Question:  What are the recommend settings for SSO regarding .k5login file in an environment where home directories are NFS mounted?

Answer: This depends on how the user manages the SSO, the version of sshd that is being used and which DirectControl version is running. If the .k5login file is present in the users home directory it will be used to verify what accounts can SSO into a system. If sshd cannot open the .k5login file to read it, it is considered a failure and access will fail. This can cause a problem when the Home directories are on a NFS mount where the root account has been denied access using the "rootsquash" parameter.

Options:
  • If the system is running  Centrify openssh sshd and it is not expected to allow provisioned AD users to allow other users to login using Single Sign On to the system using their credentials then the .k5login creation can simply be disabled and the .k5login files removed all from the home directories. Centrify Openssh sshd can then compute if the kerberos credential matches the target user login to decide if will be alllowed.  The centrifydc.conf paramter to disable .k5login creation is:
         pam.create.k5login: false
  • The alternative is to tell adclient to ignore the .k5login file or specify an alternate location to hold the .k5login for the users.
                  krb5.sso.ignore.k5login: true 

                  For security reasons the specified directory should be owned by root and writeable to root only.
                  krb5.conf.k5login.directory:

Note: Once the file .k5login is presented, it is honored.  

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.