How is Kerberos used with Centrify with regard to UNIX-to-Active Directory authentications? Answer:
Centrify does not provide specific documentation describing how Kerberos works in general, as this is assumed prerequisite knowledge which can be acquired through textbooks or MIT documentation (Reference links have been provided at the end of this KB). Centrify also does not perform any special custom actions in its implementation of Kerberos.
The CentrifyDC involvement is as follows:
- On adjoin, krb5.keytab is automatically created.
- On a user interactive login, adclient will do a Kerberos authentication on behalf of the application (sshd) and create the user Kerberos cache.
- On adclient startup and also periodically, it will update krb5.conf to reflect the Kerberos realm topology.
- adclient will periodically update the system krb5.keytab.
- adclient can automatically renew an active user's credential cache.
- adkeytab is a tool to help the process of various krb5.keytab creation/maintenance operations.
involvement ends after it creates the user credential cache and places the tickets on the system.
For external applications to use Kerberos authentication, it is entirely up to the third-party application to already have the underlying code (and be configured) to use standard Kerberos protocols properly.
For further reading on Kerberos and its implementation in Active Directory, please see the following links: (Provided as a courtesy)