When setting up sshd with Kerberos on Ubuntu, one needs to "make sure that each each user has a valid account, either on the local host (via adduser or similar), or through a shared source such as LDAP
Why is that?
I can see if you use the GSSAPIAuthentication option or KerberosAuthentication, you've validated the user against a KDC.
Is this simply a matter of needing to map the username to a userid?
KDC validates the
principal, not user account. (a principal can be created for a user, service etc.. for KDC, it's all principals and it verifies the identify of the same).Linux require a username and it's corresponding
uid&gid(and few optional attributes) to consider it as a valid user account. KDC has no idea/can't provide these details, hence the user details must be made available to OS via NSS. Depending on the configuration, it can fetch the user details fromfiles[local user],ldapor some other source.Once OS know it's a valid user account(
getent passwd user_name), then you may use any available authentication mechanism (local passwd, ldap auth, kerberos etc..) to validate the user account.For kerberos auth: the system maps the principal (
abc@REALM) to user'abc'by stripping theREALMportion(by default) and grants access if kerberos validation is successful for principalabc@REALM.Kerberos authentication tokens do not give security context, such as group permissions, which ldap provides, only if the credential was valid