Red Hat NETWORK SATELLITE 5.3.0 Deployment Manual page 20

Chapter 2. Satellite Operation Guidance
Note
To ensure that PAM authentication functions properly, install the pam-devel package.
Set up a PAM service file (usually /etc/pam.d/rhn-satellite) and have the Satellite use it by
adding the following line to /etc/rhn/rhn.conf:
pam_auth_service = rhn-satellite
This assumes the PAM service file is named rhn-satellite.
To enable a user to authenticate against PAM, select the checkbox labeled Pluggable Authentication
Modules (PAM). It is positioned below the password and password confirmation fields on the Create
User page.
As an example, for a Red Hat Enterprise Linux 5 i386 system, to authenticate against Kerberos you
can add the following to /etc/pam.d/rhn-satellite:
#%PAM-1.0
auth required
auth sufficient
auth required
account required
Note that changing the password on the RHN website changes only the local password on the
Satellite server, which may not be used at all if PAM is enabled for that user. In the above example, for
instance, the Kerberos password will not be changed.
For LDAP authentication on 32-bit systems, add the following lines to the /etc/pam.d/rhn-
satellite file:
#%PAM-1.0
auth required
auth sufficient
auth required
account required
For LDAP support on 64-bit Satellite servers, add the following lines:
#%PAM-1.0
auth required
auth sufficient
auth required
account required
For more information about configuring PAM, refer to the Chapter entitled "Pluggable Authentication
Modules (PAM)" in the Red Hat Enterprise Linux Deployment Guide.
12
pam_env.so
pam_krb5.so no_user_check
pam_deny.so
pam_krb5.so no_user_check
/lib/security/pam_env.so
/lib/security/pam_ldap.so no_user_check
/lib/security/pam_deny.so
/lib/security/pam_ldap.so no_user_check
/lib64/security/pam_env.so
/lib64/security/pam_ldap.so no_user_check
/lib64/security/pam_deny.so
/lib64/security/pam_ldap.so no_user_check