I have the following situation: I have a server running RHEL 7.4. This server's main purpose is to host an RStudio Server Pro instance, which allows users to connect to a kerberized Hadoop cluster in a different realm to leverage its distributed computing capabilities.
This works fine if user opens an R session in RStudio IDE and runs system("kinit -kt /path/to/keytab username")
. With this call user is able to obtain and cache a Kerberos ticket.
I'm now wondering how I could free users from running this command and offer a behind-the-scenes solution.
Currently, users are authenticated by PAM. I'm aware of the Kerberos service module for PAM pam_krb5
but I don't really understand how I should configure my existing rstudio
profile:
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
I have read the RStudio documentation on Kerberos but it doesn't tell me how I can authenticate users via keytabs on a server in a different Kerberos realm (cross realm authentication?).
How should my RStudio PAM profile look like to achieve this?
Edit: Adding system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass
auth requisite pam_vas3.so echo_return
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth sufficient pam_krb5.so use_first_pass
#auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account sufficient pam_vas3.so
account requisite pam_vas3.so echo_return
account required pam_unix.so broken_shadow
account required pam_faillock.so
account sufficient pam_succeed_if.so uid < 100 quiet
account sufficient pam_succeed_if.so user ingroup UNIX_ADMINISTRATORS
account sufficient pam_succeed_if.so user ingroup UNIX_OPERATORS
account sufficient pam_succeed_if.so user ingroup TSM_ADMINISTRATORS
account sufficient pam_succeed_if.so user ingroup smadming
account required pam_succeed_if.so user ingroup SERVER_STAFF
account optional /lib64/security/pam_krb5.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass retry=3 retry=3 minlen=8 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 difok=4
password sufficient pam_vas3.so
password requisite pam_vas3.so echo_return
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=15
password sufficient pam_krb5.so use_authtok
#password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_limits.so
session required pam_vas3.so create_homedir
session requisite pam_vas3.so echo_return
session required pam_unix.so
session optional pam_krb5.so