This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:arch_ad_backend [2014/11/18 16:01] walter [Packages] |
linux:arch_ad_backend [2021/05/02 21:36] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Arch AD Auth ====== | ||
+ | |||
====== Packages ====== | ====== Packages ====== | ||
- | nss-pam-ldapd | + | <code>pacman -S nss-pam-ldapd krb5 pam-krb5</code> |
- | + | ||
- | krb5 | + | |
- | + | ||
- | pam-krb5 (aur) | + | |
- | + | ||
- | acm-pam (acm repo) | + | |
- | acm-admin-sudoers (acm repo) | ||
====== Configs ====== | ====== Configs ====== | ||
===== Kerberos ===== | ===== Kerberos ===== | ||
- | <file|krb5.conf> | + | <file|/etc/krb5.conf> |
[libdefaults] | [libdefaults] | ||
default_realm = ACM.CS | default_realm = ACM.CS | ||
Line 39: | Line 34: | ||
**Make sure nslcd.conf can only be read by root** | **Make sure nslcd.conf can only be read by root** | ||
- | <file|nslcd.conf> | + | <file|/etc/nslcd.conf> |
uid nslcd | uid nslcd | ||
gid nslcd | gid nslcd | ||
Line 70: | Line 65: | ||
referrals off | referrals off | ||
idle_timelimit 800 | idle_timelimit 800 | ||
- | filer passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) | + | filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) |
map passwd uid sAMAccountName | map passwd uid sAMAccountName | ||
map passwd homeDirectory unixHomeDirectory | map passwd homeDirectory unixHomeDirectory | ||
map passwd gecos displayName | map passwd gecos displayName | ||
- | filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) | + | filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) |
map shadow uid sAMAccountName | map shadow uid sAMAccountName | ||
map shadow shadowLastChange pwdLastSet | map shadow shadowLastChange pwdLastSet | ||
Line 84: | Line 79: | ||
Edit the passwd, shadow, and group lines to this | Edit the passwd, shadow, and group lines to this | ||
- | <file|nsswitch.conf> | + | <file|/etc/nsswitch.conf> |
- | passwd: compat ldap [NOTFOUND=return] | + | passwd: files ldap [NOTFOUND=return] |
- | shadow: compat ldap [NOTFOUND=return] | + | shadow: files ldap [NOTFOUND=return] |
- | group: compat ldap [NOTFOUND=return] | + | group: files ldap [NOTFOUND=return] |
</file> | </file> | ||
Line 99: | Line 94: | ||
To give admins sudo | To give admins sudo | ||
- | <file|sudoers> | + | <file|/etc/sudoers.d/AcmLanAdmins> |
%AcmLanAdmins ALL=(ALL) ALL | %AcmLanAdmins ALL=(ALL) ALL | ||
</file> | </file> | ||
- | ===== PAM ===== | + | <file|/etc/pam.d/system-auth> |
+ | auth sufficient pam_ldap.so | ||
+ | auth required pam_unix.so try_first_pass nullok | ||
+ | auth optional pam_permit.so | ||
+ | auth required pam_env.so | ||
- | These files are in /etc/pam.d | + | account sufficient pam_ldap.so |
+ | account required pam_unix.so | ||
+ | account optional pam_permit.so | ||
+ | account required pam_time.so | ||
- | FIXME | + | password sufficient pam_ldap.so |
+ | password required pam_unix.so try_first_pass nullok sha512 shadow | ||
+ | password optional pam_permit.so | ||
+ | session required pam_limits.so | ||
+ | session required pam_unix.so | ||
+ | session optional pam_ldap.so | ||
+ | session optional pam_permit.so | ||
+ | </file> |