This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:arch_ad_backend [2013/09/05 17:41] jkilmer |
linux:arch_ad_backend [2021/05/02 21:36] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | FIXME **Kerberos is still used for doing forced password updates at login and password changes, this is currently not working with just nslcd 08/09/12 - walter** | + | ====== Arch AD Auth ====== |
====== Packages ====== | ====== Packages ====== | ||
- | nss-pam-ldapd (aur) | + | <code>pacman -S nss-pam-ldapd krb5 pam-krb5</code> |
- | krb5 | ||
- | |||
- | pam-krb5 | ||
====== Configs ====== | ====== Configs ====== | ||
===== Kerberos ===== | ===== Kerberos ===== | ||
- | <file|krb5.conf> | + | <file|/etc/krb5.conf> |
[libdefaults] | [libdefaults] | ||
- | default_realm = ACM.CS | + | default_realm = ACM.CS |
+ | dns_lookup_realm = false | ||
+ | dns_lookup_kdc = true | ||
[realms] | [realms] | ||
- | ACM.CS = { | + | |
- | kdc = ad1.acm.cs | + | |
- | kdc = ad2.acm.cs | + | |
- | admin_server = ad.acm.cs | + | |
- | default_domain=ACM.CS | + | |
- | } | + | |
[domain_realm] | [domain_realm] | ||
- | .acm.cs = ACM.CS | + | acm.cs = ACM.CS |
- | acm.cs = ACM.CS | + | .acm.cs = ACM.CS |
+ | |||
+ | [logging] | ||
+ | # kdc = CONSOLE | ||
</file> | </file> | ||
To test run | To test run | ||
- | <code>kinit username@ACM.CS</code> | + | <code>kinit username</code> |
===== LDAP/NSLCD ===== | ===== LDAP/NSLCD ===== | ||
Line 34: | Line 34: | ||
**Make sure nslcd.conf can only be read by root** | **Make sure nslcd.conf can only be read by root** | ||
- | <file|nslcd.conf> | + | <file|/etc/nslcd.conf> |
uid nslcd | uid nslcd | ||
gid nslcd | gid nslcd | ||
- | uri ldaps://172.29.10.254/ | + | uri ldaps://ad1.acm.cs/ |
- | uri ldaps://172.29.13.10/ | + | uri ldaps://ad2.acm.cs/ |
ldap_version 3 | ldap_version 3 | ||
Line 65: | Line 65: | ||
referrals off | referrals off | ||
idle_timelimit 800 | idle_timelimit 800 | ||
- | filer passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) | + | filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) |
map passwd uid sAMAccountName | map passwd uid sAMAccountName | ||
map passwd homeDirectory unixHomeDirectory | map passwd homeDirectory unixHomeDirectory | ||
map passwd gecos displayName | map passwd gecos displayName | ||
- | filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) | + | filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) |
map shadow uid sAMAccountName | map shadow uid sAMAccountName | ||
map shadow shadowLastChange pwdLastSet | map shadow shadowLastChange pwdLastSet | ||
Line 79: | Line 79: | ||
Edit the passwd, shadow, and group lines to this | Edit the passwd, shadow, and group lines to this | ||
- | <file|nsswitch.conf> | + | <file|/etc/nsswitch.conf> |
- | passwd: compat ldap [NOTFOUND=return] | + | passwd: files ldap [NOTFOUND=return] |
- | shadow: compat ldap [NOTFOUND=return] | + | shadow: files ldap [NOTFOUND=return] |
- | group: compat ldap [NOTFOUND=return] | + | group: files ldap [NOTFOUND=return] |
</file> | </file> | ||
Line 94: | Line 94: | ||
To give admins sudo | To give admins sudo | ||
- | <file|sudoers> | + | <file|/etc/sudoers.d/AcmLanAdmins> |
%AcmLanAdmins ALL=(ALL) ALL | %AcmLanAdmins ALL=(ALL) ALL | ||
</file> | </file> | ||
- | ===== PAM ===== | + | <file|/etc/pam.d/system-auth> |
+ | auth sufficient pam_ldap.so | ||
+ | auth required pam_unix.so try_first_pass nullok | ||
+ | auth optional pam_permit.so | ||
+ | auth required pam_env.so | ||
- | These files are in /etc/pam.d | + | account sufficient pam_ldap.so |
+ | account required pam_unix.so | ||
+ | account optional pam_permit.so | ||
+ | account required pam_time.so | ||
- | FIXME | + | password sufficient pam_ldap.so |
+ | password required pam_unix.so try_first_pass nullok sha512 shadow | ||
+ | password optional pam_permit.so | ||
+ | session required pam_limits.so | ||
+ | session required pam_unix.so | ||
+ | session optional pam_ldap.so | ||
+ | session optional pam_permit.so | ||
+ | </file> |