tac_plus AD integration with PAM

Donato Rivera donato.rivera at ssihq.net
Thu Mar 20 14:06:25 UTC 2014 

Greetings,


I am attempting to integrate my tac_plus solution with AD using PAM. I have tried numerous iterations I found online with no luck. I am listing my config below, the krb5.conf seems to pass which I will also list. Any assistance is greatly appreciated.


AD Credentials Test using kerberos:


[root at pam.d]# kinit Dan
Password for Dan at domain:

[root at pam.d]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Dan at domain

Valid starting     Expires            Service principal
03/20/14 10:00:50  03/20/14 20:00:56  krbtgt/domain
        renew until 03/27/14 10:00:50


Configuration:


/etc/tac_plus.conf

key = "TestKey"
accounting file = /var/log/tac.acct.log
# authentication users not appearing elsewhere via
# the file /etc/passwd
#default authentication = file /etc/passwd


# A group that can change some limited configuration on switchports
# related to host-side network configuration

group = Admin {
        # login = file /etc/passwd
        # or authenticated via PAM:
        # login = PAM
         service = exec {
         priv-lvl = 15
                }
                 }

user = dan {
        login = PAM
        member = Admin
}


/etc/pam.d/tac_plus

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so


/etc/krb5.conf

default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = domain_name
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 domain_name = {
  kdc = x.x.x.x
  admin_server = x.x.x.x
 }

[domain_realm]
 domain_name = domain_name


Thanks,

Danny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20140320/15f8575c/attachment.htm>

More information about the Pam-list mailing list