Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung Nächste Überarbeitung Beide Seiten der Revision | ||
invis_server_wiki:client [2016/11/16 08:18] flacco [sssd-Konfiguration invis-Server Classic] |
invis_server_wiki:client [2016/11/16 08:43] flacco [PAM konfigurieren] |
||
---|---|---|---|
Zeile 274: | Zeile 274: | ||
=== PAM konfigurieren === | === PAM konfigurieren === | ||
- | Auch die PAM Module für die Benutzeranmeldung am System müssen an den **sssd** angepasst werden. Dies kann mit Hilfe des Tools //**pam-config**// vorgenommen werden: | + | Auch die PAM Module für die Benutzeranmeldung am System müssen an den **sssd** angepasst werden. Dies kann im einfachsten Fall mit Hilfe des Tools //**pam-config**// vorgenommen werden: |
<code> | <code> | ||
Zeile 280: | Zeile 280: | ||
</code> | </code> | ||
+ | Leider haben nicht alle Linux-Distributionen das Tool //**pam-config**// im Gepäck. Ist dies der Fall und PAM wird nicht beim Installieren neuer PAM-Module automatisch von der verwendeten Linux-Distribution angepasst, müssen die relevanten PAM-Konfigurationen händisch angepasst werden. Dies sind in aller Regel 4 Dateien im Verzeichnis <file>/etc/pam.d</file>. | ||
+ | |||
+ | Hier Beispielhaft die Dateien aus Linux Mint 17.3, relevant sind immer die Zeilen in denen auf **pam_sss.so** Bezug genommen wird: | ||
+ | |||
+ | **common-account** | ||
+ | |||
+ | <code> | ||
+ | ... | ||
+ | # here are the per-package modules (the "Primary" block) | ||
+ | account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so | ||
+ | # here's the fallback if no module succeeds | ||
+ | account requisite pam_deny.so | ||
+ | # prime the stack with a positive return value if there isn't one already; | ||
+ | # this avoids us returning an error just because nothing sets a success code | ||
+ | # since the modules above will each just jump around | ||
+ | account required pam_permit.so | ||
+ | # and here are more per-package modules (the "Additional" block) | ||
+ | account sufficient pam_localuser.so | ||
+ | account [default=bad success=ok user_unknown=ignore] pam_sss.so | ||
+ | # end of pam-auth-update config | ||
+ | </code> | ||
+ | |||
+ | **common-auth** | ||
+ | |||
+ | <code> | ||
+ | ... | ||
+ | # here are the per-package modules (the "Primary" block) | ||
+ | auth [success=2 default=ignore] pam_unix.so nullok_secure | ||
+ | auth [success=1 default=ignore] pam_sss.so use_first_pass | ||
+ | # here's the fallback if no module succeeds | ||
+ | auth requisite pam_deny.so | ||
+ | # prime the stack with a positive return value if there isn't one already; | ||
+ | # this avoids us returning an error just because nothing sets a success code | ||
+ | # since the modules above will each just jump around | ||
+ | auth required pam_permit.so | ||
+ | # and here are more per-package modules (the "Additional" block) | ||
+ | auth optional pam_ecryptfs.so unwrap | ||
+ | auth optional pam_cap.so | ||
+ | # end of pam-auth-update config | ||
+ | </code> | ||
+ | |||
+ | **common-password** | ||
+ | |||
+ | <code> | ||
+ | ... | ||
+ | # here are the per-package modules (the "Primary" block) | ||
+ | password requisite pam_pwquality.so retry=3 | ||
+ | password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 | ||
+ | password sufficient pam_sss.so use_authtok | ||
+ | # here's the fallback if no module succeeds | ||
+ | password requisite pam_deny.so | ||
+ | # prime the stack with a positive return value if there isn't one already; | ||
+ | # this avoids us returning an error just because nothing sets a success code | ||
+ | # since the modules above will each just jump around | ||
+ | password required pam_permit.so | ||
+ | # and here are more per-package modules (the "Additional" block) | ||
+ | password optional pam_gnome_keyring.so | ||
+ | password optional pam_ecryptfs.so | ||
+ | # end of pam-auth-update config | ||
+ | </code> | ||
+ | |||
+ | **common-session** | ||
+ | |||
+ | <code> | ||
+ | ... | ||
+ | # here are the per-package modules (the "Primary" block) | ||
+ | session [default=1] pam_permit.so | ||
+ | # here's the fallback if no module succeeds | ||
+ | session requisite pam_deny.so | ||
+ | # prime the stack with a positive return value if there isn't one already; | ||
+ | # this avoids us returning an error just because nothing sets a success code | ||
+ | # since the modules above will each just jump around | ||
+ | session required pam_permit.so | ||
+ | # The pam_umask module will set the umask according to the system default in | ||
+ | # /etc/login.defs and user settings, solving the problem of different | ||
+ | # umask settings with different shells, display managers, remote sessions etc. | ||
+ | # See "man pam_umask". | ||
+ | session optional pam_umask.so | ||
+ | # and here are more per-package modules (the "Additional" block) | ||
+ | session required pam_unix.so | ||
+ | session optional pam_sss.so | ||
+ | session optional pam_systemd.so | ||
+ | session optional pam_ecryptfs.so unwrap | ||
+ | session optional pam_ck_connector.so nox11 | ||
+ | # end of pam-auth-update config | ||
+ | </code> | ||
+ | |||
+ | Alle gezeigten Beispiele stammen aus einer Anbindung an einen invis-Classic Server. | ||
=== Kerberos Konfiguration für Client-Anbindung an invis-Server ActiveDirectory === | === Kerberos Konfiguration für Client-Anbindung an invis-Server ActiveDirectory === | ||