我的情况如下:我有一台运行 RHEL 7.4 的服务器。该服务器的主要用途是托管一个 RStudio Server Pro 实例,它允许用户连接到不同环境中的 Kerberized Hadoop 集群领域以利用其分布式计算能力。
如果用户在 RStudio IDE 中打开 R 会话并运行,则此方法可正常工作system("kinit -kt /path/to/keytab username")。通过此调用,用户可以获取并缓存 Kerberos 票证。
我现在想知道如何让用户不再运行此命令并提供幕后解决方案。
目前,用户通过 PAM 进行身份验证。我知道 PAM 的 Kerberos 服务模块,pam_krb5但我真的不明白如何配置我现有的rstudio配置文件:
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
我已经阅读了 RStudio文档在 Kerberos 上,但它没有告诉我如何通过不同 Kerberos 领域的服务器上的密钥表对用户进行身份验证(跨领域身份验证?)。
我的 RStudio PAM 配置文件应该是什么样子才能实现这一点?
编辑:添加system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass
auth requisite pam_vas3.so echo_return
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth sufficient pam_krb5.so use_first_pass
#auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account sufficient pam_vas3.so
account requisite pam_vas3.so echo_return
account required pam_unix.so broken_shadow
account required pam_faillock.so
account sufficient pam_succeed_if.so uid < 100 quiet
account sufficient pam_succeed_if.so user ingroup UNIX_ADMINISTRATORS
account sufficient pam_succeed_if.so user ingroup UNIX_OPERATORS
account sufficient pam_succeed_if.so user ingroup TSM_ADMINISTRATORS
account sufficient pam_succeed_if.so user ingroup smadming
account required pam_succeed_if.so user ingroup SERVER_STAFF
account optional /lib64/security/pam_krb5.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass retry=3 retry=3 minlen=8 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 difok=4
password sufficient pam_vas3.so
password requisite pam_vas3.so echo_return
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=15
password sufficient pam_krb5.so use_authtok
#password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_limits.so
session required pam_vas3.so create_homedir
session requisite pam_vas3.so echo_return
session required pam_unix.so
session optional pam_krb5.so