Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-16388: What are the recommend settings for SSO regarding .k5login file in an environment where home directories are NFS mounted?

Authentication Service ,  

24 September,19 at 10:11 PM

Question:  What are the recommend settings for SSO regarding .k5login file in an environment where home directories are NFS mounted?

Answer: This depends on how the user manages the SSO, the version of sshd that is being used and which DirectControl version is running. If the .k5login file is present in the users home directory it will be used to verify what accounts can SSO into a system. If sshd cannot open the .k5login file to read it, it is considered a failure and access will fail. This can cause a problem when the Home directories are on a NFS mount where the root account has been denied access using the "rootsquash" parameter.

Options:
  • If the system is running  Centrify openssh sshd and it is not expected to allow provisioned AD users to allow other users to login using Single Sign On to the system using their credentials then the .k5login creation can simply be disabled and the .k5login files removed all from the home directories. Centrify Openssh sshd can then compute if the kerberos credential matches the target user login to decide if will be alllowed.  The centrifydc.conf paramter to disable .k5login creation is:
         pam.create.k5login: false
  • The alternative is to tell adclient to ignore the .k5login file or specify an alternate location to hold the .k5login for the users.
                  krb5.sso.ignore.k5login: true 

                  For security reasons the specified directory should be owned by root and writeable to root only.
                  krb5.conf.k5login.directory:

Note: Once the file .k5login is presented, it is honored.  

Related Articles

 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-3925: How to add Centrify parameter to a group policy articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I