Re: tac_plus AD integration with PAM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Try use pam_ldap for account (authorize) part. You will need to create pam_ldap.conf or ldap.conf, depends on your server OS, to query a user's attribute (uid). 

Your pam.d/tac_plus account part would look like:

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so <------ 
account     required      pam_permit.so



On Thu, 20 Mar 2014, Donato Rivera wrote:


Greetings,


I am attempting to integrate my tac_plus solution with AD using PAM. I have tried numerous iterations I found online with no luck. I am listing my config below, the krb5.conf seems to pass which I will also list. Any assistance is greatly appreciated.


AD Credentials Test using kerberos:


[root@pam.d]# kinit Dan
Password for Dan@domain:

[root@pam.d]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Dan@domain

Valid starting     Expires            Service principal
03/20/14 10:00:50  03/20/14 20:00:56  krbtgt/domain
       renew until 03/27/14 10:00:50


Configuration:


/etc/tac_plus.conf

key = "TestKey"
accounting file = /var/log/tac.acct.log
# authentication users not appearing elsewhere via
# the file /etc/passwd
#default authentication = file /etc/passwd


# A group that can change some limited configuration on switchports
# related to host-side network configuration

group = Admin {
       # login = file /etc/passwd
       # or authenticated via PAM:
       # login = PAM
        service = exec {
        priv-lvl = 15
               }
                }

user = dan {
       login = PAM
       member = Admin
}


/etc/pam.d/tac_plus

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so


/etc/krb5.conf

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = domain_name
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
domain_name = {
 kdc = x.x.x.x
 admin_server = x.x.x.x
}

[domain_realm]
domain_name = domain_name


Thanks,

Danny



--
--Yu Wang

****************************************************
      Computer & Network System Administrator
****************************************************

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux