This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:arch_ad_backend [2015/02/18 16:22] walter [Packages] |
linux:arch_ad_backend [2018/06/15 02:11] bmiddha [Packages] |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Arch AD Auth ====== | ||
+ | |||
====== Packages ====== | ====== Packages ====== | ||
- | nss-pam-ldapd | + | <code>pacman -S nss-pam-ldapd krb5 pam-krb5</code> |
- | + | ||
- | krb5 | + | |
- | + | ||
- | pam-krb5 (aur) | + | |
- | + | ||
- | acm-pam ([[acm_custom_repo|acm repo]]) | + | |
- | acm-admins-sudo ([[acm_custom_repo|acm repo]]) | ||
====== Configs ====== | ====== Configs ====== | ||
===== Kerberos ===== | ===== Kerberos ===== | ||
- | <file|krb5.conf> | + | <file|/etc/krb5.conf> |
[libdefaults] | [libdefaults] | ||
default_realm = ACM.CS | default_realm = ACM.CS | ||
Line 39: | Line 34: | ||
**Make sure nslcd.conf can only be read by root** | **Make sure nslcd.conf can only be read by root** | ||
- | <file|nslcd.conf> | + | <file|/etc/nslcd.conf> |
uid nslcd | uid nslcd | ||
gid nslcd | gid nslcd | ||
Line 84: | Line 79: | ||
Edit the passwd, shadow, and group lines to this | Edit the passwd, shadow, and group lines to this | ||
- | <file|nsswitch.conf> | + | <file|/etc/nsswitch.conf> |
- | passwd: compat ldap [NOTFOUND=return] | + | passwd: files ldap [NOTFOUND=return] |
- | shadow: compat ldap [NOTFOUND=return] | + | shadow: files ldap [NOTFOUND=return] |
- | group: compat ldap [NOTFOUND=return] | + | group: files ldap [NOTFOUND=return] |
</file> | </file> | ||
Line 99: | Line 94: | ||
To give admins sudo | To give admins sudo | ||
- | <file|sudoers> | + | <file|/etc/sudoers.d/AcmLanAdmins> |
%AcmLanAdmins ALL=(ALL) ALL | %AcmLanAdmins ALL=(ALL) ALL | ||
</file> | </file> | ||
- | ===== PAM ===== | + | <file|/etc/pam.d/system-auth> |
+ | auth sufficient pam_ldap.so | ||
+ | auth required pam_unix.so try_first_pass nullok | ||
+ | auth optional pam_permit.so | ||
+ | auth required pam_env.so | ||
- | These files are in /etc/pam.d | + | account sufficient pam_ldap.so |
+ | account required pam_unix.so | ||
+ | account optional pam_permit.so | ||
+ | account required pam_time.so | ||
- | Force install acm-pam | + | password sufficient pam_ldap.so |
- | <code> | + | password required pam_unix.so try_first_pass nullok sha512 shadow |
- | pacman -S --force acm-pam | + | password optional pam_permit.so |
- | </code> | + | |
- | This will install a working PAM stack for auth against the ACM AD domain | + | session required pam_limits.so |
+ | session required pam_unix.so | ||
+ | session optional pam_ldap.so | ||
+ | session optional pam_permit.so | ||
+ | </file> |