linux:arch_ad_backend
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
linux:arch_ad_backend [2013/09/05 17:40] jkilmer |
linux:arch_ad_backend [2018/06/01 03:18] bmiddha |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | FIXME **Kerberos is still used for doing forced password updates at login and password changes, this is currently not working with just nslcd 08/09/12 - walter** | + | ====== Arch AD Auth ====== |
| ====== Packages ====== | ====== Packages ====== | ||
| - | nss-pam-ldapd (aur) | + | nss-pam-ldapd |
| krb5 | krb5 | ||
| pam-krb5 | pam-krb5 | ||
| + | |||
| + | acm-pam ([[linux:acm_custom_repo|acm repo]]) | ||
| + | |||
| + | acm-admins-sudo ([[linux:acm_custom_repo|acm repo]]) | ||
| ====== Configs ====== | ====== Configs ====== | ||
| ===== Kerberos ===== | ===== Kerberos ===== | ||
| - | <file|krb5.conf> | + | <file|/etc/krb5.conf> |
| [libdefaults] | [libdefaults] | ||
| - | default_realm = ACM.CS | + | default_realm = ACM.CS |
| + | dns_lookup_realm = false | ||
| + | dns_lookup_kdc = true | ||
| [realms] | [realms] | ||
| - | ACM.CS = { | + | |
| - | kdc = ad1.acm.cs | + | |
| - | kdc = ad2.acm.cs | + | |
| - | admin_server = ad.acm.cs | + | |
| - | default_domain=ACM.CS | + | |
| - | } | + | |
| [domain_realm] | [domain_realm] | ||
| - | .acm.cs = ACM.CS | + | acm.cs = ACM.CS |
| - | acm.cs = ACM.CS | + | .acm.cs = ACM.CS |
| + | |||
| + | [logging] | ||
| + | # kdc = CONSOLE | ||
| </file> | </file> | ||
| To test run | To test run | ||
| - | <code>kinit username@ACM.CS</code> | + | <code>kinit username</code> |
| ===== LDAP/NSLCD ===== | ===== LDAP/NSLCD ===== | ||
| Line 34: | Line 41: | ||
| **Make sure nslcd.conf can only be read by root** | **Make sure nslcd.conf can only be read by root** | ||
| - | <file|nslcd.conf> | + | <file|/etc/nslcd.conf> |
| uid nslcd | uid nslcd | ||
| gid nslcd | gid nslcd | ||
| - | uri ldaps://172.29.10.254/ | + | uri ldaps://ad1.acm.cs/ |
| - | uri ldaps://172.29.10.10/ | + | uri ldaps://ad2.acm.cs/ |
| ldap_version 3 | ldap_version 3 | ||
| Line 65: | Line 72: | ||
| referrals off | referrals off | ||
| idle_timelimit 800 | idle_timelimit 800 | ||
| - | filer passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) | + | filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) |
| map passwd uid sAMAccountName | map passwd uid sAMAccountName | ||
| map passwd homeDirectory unixHomeDirectory | map passwd homeDirectory unixHomeDirectory | ||
| map passwd gecos displayName | map passwd gecos displayName | ||
| - | filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) | + | filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) |
| map shadow uid sAMAccountName | map shadow uid sAMAccountName | ||
| map shadow shadowLastChange pwdLastSet | map shadow shadowLastChange pwdLastSet | ||
| Line 79: | Line 86: | ||
| Edit the passwd, shadow, and group lines to this | Edit the passwd, shadow, and group lines to this | ||
| - | <file|nsswitch.conf> | + | <file|/etc/nsswitch.conf> |
| - | passwd: compat ldap [NOTFOUND=return] | + | passwd: files ldap [NOTFOUND=return] |
| - | shadow: compat ldap [NOTFOUND=return] | + | shadow: files ldap [NOTFOUND=return] |
| - | group: compat ldap [NOTFOUND=return] | + | group: files ldap [NOTFOUND=return] |
| </file> | </file> | ||
| Line 94: | Line 101: | ||
| To give admins sudo | To give admins sudo | ||
| - | <file|sudoers> | + | <file|/etc/sudoers.d/AcmLanAdmins> |
| %AcmLanAdmins ALL=(ALL) ALL | %AcmLanAdmins ALL=(ALL) ALL | ||
| </file> | </file> | ||
| Line 102: | Line 109: | ||
| These files are in /etc/pam.d | These files are in /etc/pam.d | ||
| - | FIXME | + | Force install acm-pam |
| + | <code> | ||
| + | pacman -S --force acm-pam | ||
| + | </code> | ||
| + | This will install a working PAM stack for auth against the ACM AD domain | ||
linux/arch_ad_backend.txt · Last modified: 2021/05/02 21:36 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
