Differences

This shows you the differences between two versions of the page.

--- linux:arch_ad_backend [2013/09/05 17:41]
jkilmer
+++ linux:arch_ad_backend [2021/05/02 21:36] (current)
@@ Line 1: / Line 1: @@
-FIXME **Kerberos is still used for doing forced password updates at login and password changes, this is currently not working with just nslcd 08/09/12 - walter**
+====== Arch AD Auth ======
 ====== Packages ======
-nss-pam-ldapd (aur)
+<code>pacman -S nss-pam-ldapd krb5 pam-krb5</code>
-krb5
-pam-krb5
 ====== Configs ======
 ===== Kerberos =====
-<file|krb5.conf>
+<file|/etc/krb5.conf>
 [libdefaults]
-default_realm = ACM.CS
+        default_realm = ACM.CS
+        dns_lookup_realm = false
+        dns_lookup_kdc = true
 [realms]
-ACM.CS = {
-       kdc = ad1.acm.cs
-       kdc = ad2.acm.cs
-       admin_server = ad.acm.cs
-       default_domain=ACM.CS
-}
 [domain_realm]
-.acm.cs = ACM.CS
+        acm.cs = ACM.CS
-acm.cs = ACM.CS
+        .acm.cs = ACM.CS
+[logging]
+#       kdc = CONSOLE
 </file>
 To test run
-<code>kinit username@ACM.CS</code>
+<code>kinit username</code>
 ===== LDAP/NSLCD =====
@@ Line 34: / Line 34: @@
 **Make sure nslcd.conf can only be read by root**
-<file|nslcd.conf>
+<file|/etc/nslcd.conf>
 uid nslcd
 gid nslcd
-uri ldaps://172.29.10.254/
+uri ldaps://ad1.acm.cs/
-uri ldaps://172.29.13.10/
+uri ldaps://ad2.acm.cs/
 ldap_version 3
@@ Line 65: / Line 65: @@
 referrals off
 idle_timelimit 800
-filer passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
+filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
 map passwd uid sAMAccountName
 map passwd homeDirectory unixHomeDirectory
 map passwd gecos displayName
-filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
+filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
 map shadow uid sAMAccountName
 map shadow shadowLastChange pwdLastSet
@@ Line 79: / Line 79: @@
 Edit the passwd, shadow, and group lines to this
-<file|nsswitch.conf>
+<file|/etc/nsswitch.conf>
-passwd: compat ldap [NOTFOUND=return]
+passwd: files ldap [NOTFOUND=return]
-shadow: compat ldap [NOTFOUND=return]
+shadow: files ldap [NOTFOUND=return]
-group: compat ldap [NOTFOUND=return]
+group: files ldap [NOTFOUND=return]
 </file>
@@ Line 94: / Line 94: @@
 To give admins sudo
-<file|sudoers>
+<file|/etc/sudoers.d/AcmLanAdmins>
 %AcmLanAdmins ALL=(ALL) ALL
 </file>
-===== PAM =====
+<file|/etc/pam.d/system-auth>
+auth      sufficient pam_ldap.so
+auth      required  pam_unix.so     try_first_pass nullok
+auth      optional  pam_permit.so
+auth      required  pam_env.so
-These files are in /etc/pam.d
+account   sufficient pam_ldap.so
+account   required  pam_unix.so
+account   optional  pam_permit.so
+account   required  pam_time.so
-FIXME
+password  sufficient pam_ldap.so
+password  required  pam_unix.so     try_first_pass nullok sha512 shadow
+password  optional  pam_permit.so
+session   required  pam_limits.so
+session   required  pam_unix.so
+session   optional  pam_ldap.so
+session   optional  pam_permit.so
+</file>

UIC ACM

User Tools

Site Tools

Differences

Page Tools