This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
linux:arch_ad_backend [2016/10/19 23:04] walter [Packages] |
linux:arch_ad_backend [2018/06/11 17:25] bmiddha |
||
---|---|---|---|
Line 9: | Line 9: | ||
pam-krb5 | pam-krb5 | ||
- | acm-pam ([[linux:acm_custom_repo|acm repo]]) | ||
- | |||
- | acm-admins-sudo ([[linux:acm_custom_repo|acm repo]]) | ||
====== Configs ====== | ====== Configs ====== | ||
===== Kerberos ===== | ===== Kerberos ===== | ||
- | <file|krb5.conf> | + | <file|/etc/krb5.conf> |
[libdefaults] | [libdefaults] | ||
default_realm = ACM.CS | default_realm = ACM.CS | ||
Line 41: | Line 38: | ||
**Make sure nslcd.conf can only be read by root** | **Make sure nslcd.conf can only be read by root** | ||
- | <file|nslcd.conf> | + | <file|/etc/nslcd.conf> |
uid nslcd | uid nslcd | ||
gid nslcd | gid nslcd | ||
Line 86: | Line 83: | ||
Edit the passwd, shadow, and group lines to this | Edit the passwd, shadow, and group lines to this | ||
- | <file|nsswitch.conf> | + | <file|/etc/nsswitch.conf> |
passwd: files ldap [NOTFOUND=return] | passwd: files ldap [NOTFOUND=return] | ||
shadow: files ldap [NOTFOUND=return] | shadow: files ldap [NOTFOUND=return] | ||
Line 101: | Line 98: | ||
To give admins sudo | To give admins sudo | ||
- | <file|sudoers> | + | <file|/etc/sudoers.d/AcmLanAdmins> |
%AcmLanAdmins ALL=(ALL) ALL | %AcmLanAdmins ALL=(ALL) ALL | ||
</file> | </file> | ||
- | ===== PAM ===== | + | <file|/etc/pam.d/system-auth> |
+ | auth sufficient pam_ldap.so | ||
+ | auth required pam_unix.so try_first_pass nullok | ||
+ | auth optional pam_permit.so | ||
+ | auth required pam_env.so | ||
- | These files are in /etc/pam.d | + | account sufficient pam_ldap.so |
+ | account required pam_unix.so | ||
+ | account optional pam_permit.so | ||
+ | account required pam_time.so | ||
- | Force install acm-pam | + | password sufficient pam_ldap.so |
- | <code> | + | password required pam_unix.so try_first_pass nullok sha512 shadow |
- | pacman -S --force acm-pam | + | password optional pam_permit.so |
- | </code> | + | |
- | This will install a working PAM stack for auth against the ACM AD domain | + | session required pam_limits.so |
+ | session required pam_unix.so | ||
+ | session optional pam_ldap.so | ||
+ | session optional pam_permit.so | ||
+ | </file> |