Connect to UW UWWI Active Directory

Similar documents
Attunity RepliWeb PAM Configuration Guide

Allowing Linux to Authenticate to a Windows 2003 AD Domain. Prepared by. Thomas J. Munn, CISSP 11-May-06

Windows Enterprise OU Administrator Tips. Integrating RHEL5 Systems with Active Directory

Univention Corporate Server. Extended domain services documentation

Configure Samba with ACL and Active Directory integration Robert LeBlanc BioAg Computer Support, Brigham Young University

RHEL Clients to AD Integrating RHEL clients to Active Directory

SSSD Active Directory Improvements

Single Sign On / Authentication against Active Directory for Windows, Linux and Mac with a common home area via Samba and Winbind

Installing Squid with Active Directory Authentication

Interoperability Update: Red Hat Enterprise Linux 7 beta and Microsoft Windows

(june > this is version 3.025a)

# Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server ; wins support = no

Using Active Directory as your Solaris Authentication Source

Using Active Directory to Authenticate Linux Users. Using Standard Protocols and Open Source Products

Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access

Linux/Unix Active Directory Authentication Integration Using Samba Winbind

LDAP (Lightweight Directory Access Protocol) LDAP is an Internet standard protocol used by

Linuxdays 2005, Samba Tutorial

System Security Services Daemon

Migration of Windows Intranet domain to Linux Domain Moving Linux to a Wider World

Distributed File System

Bring Linux into Microsoft s ADS

Using Single Sign-on with Samba. Appendices. Glossary. Using Single Sign-on with Samba. SonicOS Enhanced

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

Building Open Source Identity Management with FreeIPA. Martin Kosek

Identity Management based on FreeIPA

SUSE Manager 1.2.x ADS Authentication

FreeIPA - Open Source Identity Management in Linux

Active Directory and Linux Identity Management

Network Startup Resource Center

Integrating Red Hat Enterprise Linux 6 with Active Directory. Mark Heslin Principal Software Engineer

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

Integration with Active Directory. Jeremy Allison Samba Team

Going in production Winbind in large AD domains today. Günther Deschner (Red Hat / Samba Team)

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

Unifying Authorization Models

Linux Virtual Desktop. Installation Guide for Red Hat Enterprise Linux. Version 1.0

Linux Authentication using LDAP and edirectory

ENTERPRISE LINUX SECURITY ADMINISTRATION

GL-550: Red Hat Linux Security Administration. Course Outline. Course Length: 5 days

INUVIKA TECHNICAL GUIDE

Unit objectives IBM Power Systems

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

Samba. Samba. Samba 2.2.x. Limitations of Samba 2.2.x 1. Interoperating with Windows. Implements Microsoft s SMB protocol

FreeIPA 3.3 Trust features

SUSE Linux Enterprise Server in an Active Directory Domain

GL550 - Enterprise Linux Security Administration

ENTERPRISE LINUX SECURITY ADMINISTRATION

FreeIPA v3: Trust Basic trust setup

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

SSSD. Client side identity management. LinuxAlt 2012 Jakub Hrozek 3. listopadu 2012

Linux Virtual Desktop

Instructions for Adding a MacOS 10.4.x Client to ASURITE

SAMBA SERVER (PDC) Samba is comprised of a suite of RPMs that come on the RHEL/Fedora CDs. The files are named:

Centrify Identity and Access Management for Cloudera

Using Kerberos to Authenticate a Solaris TM 10 OS LDAP Client With Microsoft Active Directory

Kerberos Delegation with SAS 9.4

Windows Security and Directory Services for UNIX using Centrify DirectControl

Using Samba to play nice with Windows. Bill Moran Potential Technologies

Advancements in Linux Authentication and Authorisation using SSSD

Likewise Open Installation and Administration Guide

CAC AND KERBEROS FROM VISION TO REALITY

Active Directory Integration

Mac OS X Directory Services

1 Introduction. Ubuntu Linux Server & Client and Active Directory. Page 1 of 14

Instructions for Adding a MacOS 10.4.x Server to ASURITE for File Sharing. Installation Section

Using OpenSSH in a Single Sign-On Corporate Environment with z/os, Windows and Linux

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

Back Up Linux And Windows Systems With BackupPC

Integrating Mac OS X 10.6 with Active Directory. 1 April 2010

Guide to SASL, GSSAPI & Kerberos v.6.0

Kerberos and Active Directory symmetric cryptography in practice COSC412

Integrating Linux systems with Active Directory

Integrating OID with Active Directory and WNA

Integrating HP-UX 11.x Account Management and Authentication with Microsoft Windows 2000 White Paper

Authentication in a Heterogeneous Environment

CYAN SECURE WEB HOWTO. NTLM Authentication

Avaya CM Login with Windows Active Directory Services

Secure Unified Authentication for NFS

Charles Firth Managing Macs in a Windows World

Linux Development Environment Description Based on VirtualBox Structure

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

Configure the Application Server User Account on the Domain Server

VINTELA AUTHENTICATION SERVICES

AD Integration options for Linux Systems

Using Kerberos tickets for true Single Sign On

Vintela Authentication from SCO Release 2.2. System Administration Guide

User Management / Directory Services using LDAP

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software

Red Hat Linux Administration II Installation, Configuration, Software and Troubleshooting

Integrating Ubuntu 8.04 LTS into Microsoft Active Directory using Likewise Open

CRYPTOCard Authentication. Using PAM for Linux and Solaris. Quick Start Guide. Copyright CRYPTOCard Corporation All Rights Reserved

Likewise Security Benefits

Transcription:

Connect to UW UWWI Active Directory Motivation Working in progress notes: Create Computer in Active Directory. Firewall Hostname - FQDN required Create krb5 keytab REDHAT & VARIANTS specific instructions winbind/krb5/samba connection: DEBIAN AND VARIANTS For winbind/krb5/samba connection: Slow sudo fix Group Management Motivation The CENPA workstations and servers are generally local access only. Group and user management is trivial when dealing with a single system. However when dealing with hundreds of systems, managing multiple users, groups and passwords can become unmanageable. The goal therefore is to centralize these authentication details. Like most work environments, CENPA is heterogeneous with Linux, OSX, Windows (excluding vax, solaris, etc.) operating systems (OS), a solution that works with all OSs is therefore required. As UW manages manages Active Directory, we can utilize this system rather than create our own. Windows - Trivial to add as computer to domain Linux - Not Trivial. There are multiple options to integrate with AD. We will be using Winbind/krb5. I will explore using sssd in future. Mac - Trivial Working in progress notes: 1. Create Computer in Active Directory. In windows server with AD tools, create computer in Delegated OU (cenpa).create krb5.keytab for system (if Linux or OSX) 2. Firewall Warning - if behind the firewall, you need to open ports when connecting to LDAP/Krb5/AD services. For marie I opened the following: kerberos keytab and LDAP to UW ACCEPT dc1 any:140.142.0.0/16 tcp 3760 ACCEPT dc1 any:172.16.0.0/12 - - 3. Hostname - FQDN required Note - the system you create the keytab on must : *have hostname setup properly *must have a FQDN and be registered in DNS records I used marie.npl.washington.edu (128.95.100.4)

marie.npl.washington.edu ---------------------------------- root@marie:~ hostname marie root@marie:~ hostname -f marie.npl.washington.edu root@marie:~ cat /etc/hostname marie root@marie:~ cat /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 127.0.1.1 marie.npl.washington.edu marie The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters For others i have 127.0.0.1 musun2.npl.washington.edu muon2 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 4. Create krb5 keytab a. I use the keytab generator on https://wiki.cac.washington.edu/display/infra/uw+kerberos+1.9+service+configurationuwkerbe ros1.9serviceconfiguration i. ii. iii. iv../configure and make Ensure system has UW krb5.conf (see below) kinit holman klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: holman@u.washington.edu v. vi. vii. Valid starting Expires Service principal 10/22/13 15:15:23 10/23/13 01:15:23 krbtgt/u.washington.edu@u.washington.edu renew until 10/22/13 15:15:23./keyreq -a nfs host -h muon1.npl.washington.edu (or just -a host)./keyreq -l \* -h muon1.npl.washington.edu -f muon1.keytab scp muon1.keytab to system 1. on muon1 - if RHEL, run commands: chown root:root muon1.keytab chmod 0600 muon1.keytab mv muon1.keytab /etc/krb5.keytab (RHEL) After moving the file, restore the SELinux file context and confirm it: restorecon /etc/krb5.keytab

REDHAT & VARIANTS specific instructions winbind/krb5/samba connection: a. Install (for SL6.4 only the following packages were needed after a default desktop install - even samba-winbind was installed so perhaps I dont need samba either): yum install -y samba-winbind samba b. Run authconfig authconfig --update --kickstart --enablewinbind --smbsecurity=ads --smbworkgroup=netid --smbrealm=netid.washington.edu --winbindtemplatehomedir=/home/%u --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablelocauthorize --enablekrb5 --krb5realm=u.washington.edu --enablekrb5kdcdns --enablekrb5realmdns --enablepamaccess --enablemkhomedir c. /etc/nsswitch.conf /etc/nsswitch.conf An example Name Service Switch config file. This file should be sorted with the most-used services at the beginning. The entry '[NOTFOUND=return]' means that the search for an entry should stop if the search in the previous entry turned up nothing. Note that if the search failed due to some other reason (like no NIS server responding) then the search continues with the next entry. Valid entries include: nisplus Use NIS+ (NIS version 3) nis Use NIS (NIS version 2), also called YP dns Use DNS (Domain Name Service) files Use the local files db Use the local database (.db) files compat Use NIS on compat mode hesiod Use Hesiod for user lookups [NOTFOUND=return] Stop searching if not found so far To use db, put the "db" in front of "files" for entries you want to be looked up first in the databases

Example: passwd: shadow: group: passwd: shadow: group: hosts: hosts: db files nisplus nis db files nisplus nis db files nisplus nis files winbind files winbind files winbind db files nisplus nis dns files wins dns Example - obey only what nisplus tells us... services: nisplus [NOTFOUND=return] files networks: nisplus [NOTFOUND=return] files protocols: nisplus [NOTFOUND=return] files rpc: nisplus [NOTFOUND=return] files ethers: nisplus [NOTFOUND=return] files netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files

aliases: files nisplus d. /etc/security/pam_winbind.conf (note - I may not use this file) pam_winbind configuration file /etc/security/pam_winbind.conf [global] turn on debugging ;debug = no turn on extended PAM state debugging ;debug_state = no request a cached login if possible (needs "winbind offline logon = yes" in smb.conf) cached_login = yes authenticate using kerberos ;krb5_auth = no when using kerberos, request a "FILE" krb5 credential cache type (leave empty to just do krb5 authentication but not have a ticket afterwards) ;krb5_ccache_type = make successful authentication dependend on membership of one SID (can also take a name) ;require_membership_of = password expiry warning period in days ;warn_pwd_expire = 14 omit pam conversations ;silent = no create homedirectory on the fly ;mkhomedir = no require_membership_of=s-1-5-21-1478355014-127360780-1969717230-1113089 Notice inclusion of require_membership_of =... This states that only entities in the group are allowed to join. This group happens to be u_cenpa_groups_muon (see page regarding managing groups. All groups are created in https://groups.uw.edu/ To find groups and users on UW AD:

[root@muon3 ~] wbinfo -n holman S-1-5-21-1478355014-127360780-1969717230-124497 SID_USER (1) [root@muon3 ~] wbinfo -n u_cenpa_all S-1-5-21-1478355014-127360780-1969717230-1114709 SID_DOM_GROUP (2) also [root@muon3 ~] getent passwd holman holman:*:10124497:16777216::/home/holman:/bin/bash [root@muon3 ~] getent group u_cenpa_cavendish_users _cenpa_cavendish_users:*:11166288: (names listed here) e. /etc/samba/smb.conf for 6.5... workgroup = NETID password server = netid.washington.edu realm = netid.washington.edu security = ads template homedir = /home/%u template shell = /bin/bash winbind use default domain = true winbind offline logon = no idmap config * : backend = rid idmap config * : range = 10000000-19999999 idmap config NETID : base_rid=0 idmap uid=10000-20000 idmap gid=10000-20000 kerberos method = secrets and keytab dedicated keytab file=/etc/krb5.keytab winbind refresh tickets = true winbind reconnect delay = 5 winbind enum groups = no winbind enum users= no winbind cache time = 600 wins server = 140.142.1.6 allow trusted domains = no client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes local master = no domain master = no preferred master = no os level = 0 winbind cache time = 10... testparm output

[global] workgroup = NETID realm = NETID.WASHINGTON.EDU server string = Samba Server Version %v security = ADS allow trusted domains = No password server = netid.washington.edu dedicated keytab file = /etc/krb5.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m max log size = 50 wins server = 140.142.1.6 template homedir = /home/%u template shell = /bin/bash winbind use default domain = Yes winbind refresh tickets = Yes winbind offline logon = Yes idmap config *:range = 10000000-19999999 idmap config * : backend = rid cups options = raw [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes print ok = Yes browseable = No f. smb.conf for 5.5

[global] workgroup = NETID realm = NETID.WASHINGTON.EDU server string = Samba Server Version %v security = ADS allow trusted domains = No password server = netid.washington.edu log level =5 dedicated keytab file = /etc/krb5.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m max log size = 50 wins server = 140.142.1.6 template homedir = /home/%u template shell = /bin/bash winbind use default domain = Yes winbind refresh tickets = Yes winbind offline logon = Yes idmap config * : range = 10000000-19999999 idmap config * : backend = rid idmap backend = rid:netid=10000000-19999999 cups options = raw idmap uid = 10000000-19999999 idmap gid = 10000000-19999999 [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes print ok = Yes browseable = No g. /etc/pam.d/password-auth

%PAM-1.0 This file is auto-generated. User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_winbind.so cached_login use_first_pass auth required pam_deny.so account required pam_access.so account required pam_unix.so broken_shadow account required pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/groups.allowed account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so cached_login use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so umask=0022 skel=/etc/skel/ session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so h. /etc/pam.d/system-auth

%PAM-1.0 This file is auto-generated. User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_winbind.so cached_login use_first_pass auth required pam_deny.so account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so cached_login use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so umask=0022 skel=/etc/skel/ session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so i. /etc/krb5.conf

[libdefaults] default_realm = u.washington.edu allow_weak_crypto=true dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24 renew_lifetime = 7d forwardable = true [realms] u.washington.edu = { kdc = k5-primary.u.washington.edu kdc = k5-backup.u.washington.edu admin_server = k5-primary.u.washington.edu kpasswd_server = k5-primary.u.washington.edu default_domain = u.washington.edu } [domain_realm].cac.washington.edu = u.washington.edu.s.uw.edu = u.washington.edu.u.washington.edu = u.washington.edu.cac-sil.washington.edu = u.washington.edu.wa-k20.net = u.washington.edu.pnw-gigapop.net = u.washington.edu.nebula.washington.edu = u.washington.edu.lib.washington.edu = u.washington.edu.washington.edu = u.washington.edu.npl.washington.edu = u.washington.edu [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [login] krb5_get_tickets = false [appdefaults] pam = { } use_shmem = false j. /etc/krb5.keytab See instructions on https://wiki.cac.washington.edu/display/infra/uw+kerberos+1.9+service+configurationuwkerberos1.9ser viceconfiguration i. Currently only user holman (me) has access to creating a keytab for any host/service in the.npl.washington.edu domain. k. /etc/sudoers %u_cenpa_muon_admin ALL=(ALL) ALL l. /etc/pam.d/sudo

l. auth include system-auth account include system-auth password include system-auth auth required pam_winbind.so use_first_pass use_authtok session optional pam_keyinit.so revoke session required pam_limits.so m. /etc/security/groups.allowed root u_cenpa_muon_users n. gconftool-2 --direct --config-source=xml:readwrite:/etc/gconf/gconf.xml.defaults --type bool --set /apps/gdm/simple-greeter/disable_user_list true 5. o. p. install printers - cups install crashplanpr Join compute to domain a. net ads join -U sadm_holman DEBIAN AND VARIANTS 1. For winbind/krb5/samba connection: a. Install: 359 apt-get install krb5-user libpam-krb5 winbind samba b. c. d. create /etc/krb5.conf (see above) create keytab file, copy to /etc/krb5.keytab i. ii. iii. I had to make the file immutable (I will have to investigate this) chattr +i /etc/krb5.keytab test using: kinit -k or kinit -k -i /etc/krb5.keytab modify /etc/samba/smb.conf (see above) - NOTE this is for Ubuntu 12+ with winbind 3.6.3 and samba 3.6.3. This is the configuration for marie.npl - change as needed for other systems. [global] workgroup = NETID realm = NETID.WASHINGTON.EDU security = ADS allow trusted domains = No map to guest = Bad User obey pam restrictions = Yes pam password change = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 unix extensions = No

local master = No domain master = No dns proxy = No wins server = 140.142.1.6 usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d template homedir = /home/%u template shell = /bin/bash winbind use default domain = Yes winbind refresh tickets = Yes idmap config * : range = 10000000-19999999 idmap config * : backend = rid wide links = Yes [homes] comment = Home Directories valid users = %S, %D\%S read only = No browseable = No [group-shares] comment = Shared space for CENPA research groups path = /home/group-shares read only = No force create mode = 0660 force directory mode = 02770 hide unreadable = Yes browseable = No [cenpa] comment = Shared space for CENPA research groups path = /home/group-shares read only = No force create mode = 0660 force directory mode = 02770 hide unreadable = Yes browseable = No [printers] comment = All Printers path = /var/spool/samba create mask = 0600 guest ok = Yes printable = Yes print ok = Yes browseable = No [print$] comment = Printer Drivers path = /etc/samba/drivers

write list = @lpadmin, @samba-domain-admins, root read only = No guest ok = Yes e. For older systems - Samba version 3.5.6 and winbind Version 3.5.6 use the following in smb.conf [global] workgroup = NETID realm = NETID.WASHINGTON.EDU server string = Samba Server Version %v security = ADS allow trusted domains = No password server = netid.washington.edu log level = 5 log file = /var/log/samba/log.%m max log size = 50 wins server = 140.142.1.6 idmap backend = rid:netid=10000000-19999999 idmap uid = 10000000-19999999 idmap gid = 10000000-19999999 template homedir = /home/%u template shell = /bin/bash winbind use default domain = Yes winbind refresh tickets = Yes winbind offline logon = Yes cups options = raw [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No f. update pam auth: pam-auth-update --force g. you can debug winbind on debian: /etc/init.d/winbind stop winbindd -i -n -d5 -s /etc/samba/smb.conf h. Ubuntu/Debian manages pam authentication slight differently, I modified the following files: i. /etc/pam.d/common-auth

h. i. /etc/pam.d/common-auth - authentication settings common to all services This file is included from other service-specific PAM config files, and should contain a list of the authentication modules that define the central authentication scheme for use on the system (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the traditional Unix authentication mechanisms. As of pam 1.0.1-6, this file is managed by pam-auth-update by default. To take advantage of this, it is recommended that you configure any local modules either before or after the default block, and use pam-auth-update to manage selection of other modules. See pam-auth-update(8) for details. auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed here are the per-package modules (the "Primary" block) auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_winbind.so debug krb5_auth krb5_ccache_type=file cached_login try_first_pass here's the fallback if no module succeeds auth requisite pam_deny.so prime the stack with a positive return value if there isn't one already; this avoids us returning an error just because nothing sets a success code since the modules above will each just jump around auth required pam_permit.so and here are more per-package modules (the "Additional" block) end of pam-auth-update config ii. /etc/pam.d/common-session

/etc/pam.d/common-session - session-related modules common to all services This file is included from other service-specific PAM config files, and should contain a list of modules that define tasks to be performed at the start and end of sessions of *any* kind (both interactive and non-interactive). As of pam 1.0.1-6, this file is managed by pam-auth-update by default. To take advantage of this, it is recommended that you configure any local modules either before or after the default block, and use pam-auth-update to manage selection of other modules. See pam-auth-update(8) for details. here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so here's the fallback if no module succeeds session requisite pam_deny.so prime the stack with a positive return value if there isn't one already; this avoids us returning an error just because nothing sets a success code since the modules above will each just jump around session required pam_permit.so and here are more per-package modules (the "Additional" block) session optional pam_krb5.so minimum_uid=1000 session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel session optional pam_winbind.so end of pam-auth-update config iii. /etc/pam.d/sshd

PAM configuration for the Secure Shell service Read environment variables from /etc/environment and /etc/security/pam_env.conf. auth required pam_env.so [1] In Debian 4.0 (etch), locale-related environment variables were moved to /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale Standard Un*x authentication. @include common-auth Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so Uncomment and edit /etc/security/access.conf if you need to set complex access limits that are hard to express in sshd_config. account required pam_access.so Standard Un*x authorization. @include common-account Standard Un*x session setup and teardown. @include common-session Print the message of the day upon successful login. This includes a dynamically generated part from /run/motd.dynamic and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic noupdate session optional pam_motd.so [1] Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv [1] Set up user limits from /etc/security/limits.conf. session required pam_limits.so Set up SELinux capabilities (need modified pam) session required pam_selinux.so multiple Standard Un*x password updating. session required pam_mkhomedir.so skel=/etc/skel/ umask=0222v @include common-password iv. /etc/pam.d/common-password

/etc/pam.d/common-password - password-related modules common to all services This file is included from other service-specific PAM config files, and should contain a list of modules that define the services to be used to change user passwords. The default is pam_unix. Explanation of pam_unix options: The "sha512" option enables salted SHA512 passwords. Without this option, the default is Unix crypt. Prior releases used the option "md5". The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in login.defs. See the pam_unix manpage for other options. As of pam 1.0.1-6, this file is managed by pam-auth-update by default. To take advantage of this, it is recommended that you configure any local modules either before or after the default block, and use pam-auth-update to manage selection of other modules. See pam-auth-update(8) for details. here are the per-package modules (the "Primary" block) password [success=3 default=ignore] pam_krb5.so minimum_uid=1000 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass here's the fallback if no module succeeds password requisite pam_deny.so prime the stack with a positive return value if there isn't one already; this avoids us returning an error just because nothing sets a success code since the modules above will each just jump around password required pam_permit.so and here are more per-package modules (the "Additional" block) end of pam-auth-update config v. /etc/pam.d/common-account

/etc/pam.d/common-account - authorization settings common to all services This file is included from other service-specific PAM config files, and should contain a list of the authorization modules that define the central access policy for use on the system. The default is to only deny service to users whose accounts are expired in /etc/shadow. As of pam 1.0.1-6, this file is managed by pam-auth-update by default. To take advantage of this, it is recommended that you configure any local modules either before or after the default block, and use pam-auth-update to manage selection of other modules. See pam-auth-update(8) for details. here are the per-package modules (the "Primary" block) account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so here's the fallback if no module succeeds account requisite pam_deny.so prime the stack with a positive return value if there isn't one already; this avoids us returning an error just because nothing sets a success code since the modules above will each just jump around account required pam_permit.so and here are more per-package modules (the "Additional" block) account required pam_krb5.so minimum_uid=1000 end of pam-auth-update config vi. Notice in /etc/pam.d/common-auth, the first entry: auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/groups.allowed This is how we are going to limit logins. The file allows for local users and domain user/groups. /etc/security/groups.allowed root u_cenpa_marie_users sshusers vii. /etc/nsswitch.conf

/etc/nsswitch.conf Example configuration of GNU Name Service Switch functionality. If you have the `glibc-doc-reference' and `info' packages installed, try: `info libc "Name Service Switch"' for information about this file. passwd: group: shadow: hosts: networks: protocols: services: ethers: rpc: netgroup: compat winbind compat winbind compat winbind files dns wins files db files db files db files db files nis Slow sudo fix I encountered long delays when using sudo and winbind on Scientific Linux 6.5. The fix: yum install nscd chkconfig nscd on Debugging with nscd off (as root): strace -u holman -e trace=file sudo whoami The multiples are slowing it down. I will have to investigate if there is something else that can be used to solve this issue, until then caching with nscd will suffice.

open("/usr/share/locale/en/lc_messages/sudoers.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/localtime", O_RDONLY) = 6......... Group Management All groups are managed via groups.uw.edu. All groups are listed under holman@uw.edu account.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information