tac_plus AD integration with PAM
Yu Wang
yuwang at cs.fsu.edu
Thu Mar 20 14:56:22 UTC 2014
Try use pam_ldap for account (authorize) part. You will need to create
pam_ldap.conf or ldap.conf, depends on your server OS, to query a user's
attribute (uid).
Your pam.d/tac_plus account part would look like:
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
<------
account required pam_permit.so
On Thu, 20 Mar 2014, Donato Rivera wrote:
> Greetings,
>
>
> I am attempting to integrate my tac_plus solution with AD using PAM. I have tried numerous iterations I found online with no luck. I am listing my config below, the krb5.conf seems to pass which I will also list. Any assistance is greatly appreciated.
>
>
> AD Credentials Test using kerberos:
>
>
> [root at pam.d]# kinit Dan
> Password for Dan at domain:
>
> [root at pam.d]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Dan at domain
>
> Valid starting Expires Service principal
> 03/20/14 10:00:50 03/20/14 20:00:56 krbtgt/domain
> renew until 03/27/14 10:00:50
>
>
> Configuration:
>
>
> /etc/tac_plus.conf
>
> key = "TestKey"
> accounting file = /var/log/tac.acct.log
> # authentication users not appearing elsewhere via
> # the file /etc/passwd
> #default authentication = file /etc/passwd
>
>
> # A group that can change some limited configuration on switchports
> # related to host-side network configuration
>
> group = Admin {
> # login = file /etc/passwd
> # or authenticated via PAM:
> # login = PAM
> service = exec {
> priv-lvl = 15
> }
> }
>
> user = dan {
> login = PAM
> member = Admin
> }
>
>
> /etc/pam.d/tac_plus
>
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_krb5.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_krb5.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_krb5.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_krb5.so
>
>
> /etc/krb5.conf
>
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = domain_name
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
>
> [realms]
> domain_name = {
> kdc = x.x.x.x
> admin_server = x.x.x.x
> }
>
> [domain_realm]
> domain_name = domain_name
>
>
> Thanks,
>
> Danny
>
--
--Yu Wang
****************************************************
Computer & Network System Administrator
****************************************************
More information about the Pam-list
mailing list