Try use pam_ldap for account (authorize) part. You will need to create
pam_ldap.conf or ldap.conf, depends on your server OS, to query a user's
attribute (uid).
Your pam.d/tac_plus account part would look like:
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
<------
account required pam_permit.so
On Thu, 20 Mar 2014, Donato Rivera wrote:
Greetings,
I am attempting to integrate my tac_plus solution with AD using PAM. I have tried numerous iterations I found online with no luck. I am listing my config below, the krb5.conf seems to pass which I will also list. Any assistance is greatly appreciated.
AD Credentials Test using kerberos:
[root@pam.d]# kinit Dan
Password for Dan@domain:
[root@pam.d]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Dan@domain
Valid starting Expires Service principal
03/20/14 10:00:50 03/20/14 20:00:56 krbtgt/domain
renew until 03/27/14 10:00:50
Configuration:
/etc/tac_plus.conf
key = "TestKey"
accounting file = /var/log/tac.acct.log
# authentication users not appearing elsewhere via
# the file /etc/passwd
#default authentication = file /etc/passwd
# A group that can change some limited configuration on switchports
# related to host-side network configuration
group = Admin {
# login = file /etc/passwd
# or authenticated via PAM:
# login = PAM
service = exec {
priv-lvl = 15
}
}
user = dan {
login = PAM
member = Admin
}
/etc/pam.d/tac_plus
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
/etc/krb5.conf
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = domain_name
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
domain_name = {
kdc = x.x.x.x
admin_server = x.x.x.x
}
[domain_realm]
domain_name = domain_name
Thanks,
Danny
--
--Yu Wang
****************************************************
Computer & Network System Administrator
****************************************************
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list