linux:arch_ad_backend
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
linux:arch_ad_backend [2014/09/17 15:16] walter [Kerberos] |
linux:arch_ad_backend [2018/06/01 03:18] bmiddha |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | FIXME **Kerberos is still used for doing forced password updates at login and password changes, this is currently not working with just nslcd 08/09/12 - walter** | + | ====== Arch AD Auth ====== |
| ====== Packages ====== | ====== Packages ====== | ||
| Line 6: | Line 7: | ||
| krb5 | krb5 | ||
| - | pam-krb5 (aur) | + | pam-krb5 |
| + | |||
| + | acm-pam ([[linux:acm_custom_repo|acm repo]]) | ||
| + | |||
| + | acm-admins-sudo ([[linux:acm_custom_repo|acm repo]]) | ||
| ====== Configs ====== | ====== Configs ====== | ||
| ===== Kerberos ===== | ===== Kerberos ===== | ||
| - | <file|krb5.conf> | + | <file|/etc/krb5.conf> |
| [libdefaults] | [libdefaults] | ||
| default_realm = ACM.CS | default_realm = ACM.CS | ||
| Line 29: | Line 34: | ||
| To test run | To test run | ||
| - | <code>kinit username,/code> | + | <code>kinit username</code> |
| ===== LDAP/NSLCD ===== | ===== LDAP/NSLCD ===== | ||
| Line 36: | Line 41: | ||
| **Make sure nslcd.conf can only be read by root** | **Make sure nslcd.conf can only be read by root** | ||
| - | <file|nslcd.conf> | + | <file|/etc/nslcd.conf> |
| uid nslcd | uid nslcd | ||
| gid nslcd | gid nslcd | ||
| Line 67: | Line 72: | ||
| referrals off | referrals off | ||
| idle_timelimit 800 | idle_timelimit 800 | ||
| - | filer passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) | + | filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) |
| map passwd uid sAMAccountName | map passwd uid sAMAccountName | ||
| map passwd homeDirectory unixHomeDirectory | map passwd homeDirectory unixHomeDirectory | ||
| map passwd gecos displayName | map passwd gecos displayName | ||
| - | filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) | + | filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) |
| map shadow uid sAMAccountName | map shadow uid sAMAccountName | ||
| map shadow shadowLastChange pwdLastSet | map shadow shadowLastChange pwdLastSet | ||
| Line 81: | Line 86: | ||
| Edit the passwd, shadow, and group lines to this | Edit the passwd, shadow, and group lines to this | ||
| - | <file|nsswitch.conf> | + | <file|/etc/nsswitch.conf> |
| - | passwd: compat ldap [NOTFOUND=return] | + | passwd: files ldap [NOTFOUND=return] |
| - | shadow: compat ldap [NOTFOUND=return] | + | shadow: files ldap [NOTFOUND=return] |
| - | group: compat ldap [NOTFOUND=return] | + | group: files ldap [NOTFOUND=return] |
| </file> | </file> | ||
| Line 96: | Line 101: | ||
| To give admins sudo | To give admins sudo | ||
| - | <file|sudoers> | + | <file|/etc/sudoers.d/AcmLanAdmins> |
| %AcmLanAdmins ALL=(ALL) ALL | %AcmLanAdmins ALL=(ALL) ALL | ||
| </file> | </file> | ||
| Line 104: | Line 109: | ||
| These files are in /etc/pam.d | These files are in /etc/pam.d | ||
| - | FIXME | + | Force install acm-pam |
| + | <code> | ||
| + | pacman -S --force acm-pam | ||
| + | </code> | ||
| + | This will install a working PAM stack for auth against the ACM AD domain | ||
linux/arch_ad_backend.txt · Last modified: 2021/05/02 21:36 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
