Changes

Jump to navigation Jump to search

Client Authentication:Ubuntu via sssd/ldap (view source)

Revision as of 16:44, 16 November 2020

930 bytes added ,  16:44, 16 November 2020
no edit summary
Line 82: Line 82:  
   
 
   
 
  [pam]
 
  [pam]
+
 
 
  [domain/LDAP]
 
  [domain/LDAP]
 +
# Debug is now per domain
 +
# Debug level can be 0-10 for simple levels,
 +
# or for more control hex values Format is 0xXXXX
 +
# 1 = 0x0010 2 = 0x0020 3 = 0x040 4 = 0x080 5 = 0x0100 6 = 0x0200
 +
# see man sssd for more
 +
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sssd-troubleshooting
 +
debug_level = 3
 
  id_provider = ldap
 
  id_provider = ldap
 
  auth_provider = ldap
 
  auth_provider = ldap
Line 120: Line 127:     
===Configure the system to use SSSD as a source of authentication:===
 
===Configure the system to use SSSD as a source of authentication:===
Setup to use the tool auth-client-config:
+
Setup to use the tool auth-client-config.
 +
 
 +
{{Tip box|If you intend to automatically mount shares please see the Mount Shares section below and add the relevant sections to pam_auth and pam_session here first. You may also want the section in System Permissions }}
    
We can copy and paste in a terminal to add following lines:
 
We can copy and paste in a terminal to add following lines:
Line 223: Line 232:     
===Mount Shares===
 
===Mount Shares===
 +
 +
{{Note box|The following page is worth a read https://wiki.contribs.org/Smeserver-tw-logonscript#Linux_client_integration
 +
It is possible to create a simple local pam_mount.conf.xml file and then load a per user config from the server}}
    
If you can successfully login with a domain account you can now try and automatically mounts shares.
 
If you can successfully login with a domain account you can now try and automatically mounts shares.
   −
You will require at least cif-utils and libpam_mount
+
You will require at least cif-utils and libpam-mount
   −
  sudo apt-get install libpam_mount cifs-utils
+
  sudo apt-get install libpam-mount cifs-utils
    
In the above file /etc/auth-client-config/profile.d/sss
 
In the above file /etc/auth-client-config/profile.d/sss
Line 248: Line 260:  
Add the following:
 
Add the following:
   −
cat <<'_EOF' >/etc/security/pam_mount.conf.xml
+
cat <<'_EOF' >/etc/security/pam_mount.conf.xml
 
  <pam_mount>
 
  <pam_mount>
 
  <debug        enable  = "0" />
 
  <debug        enable  = "0" />
Line 263: Line 275:  
         user      = "*"
 
         user      = "*"
 
         sgrp      = "admins"/>
 
         sgrp      = "admins"/>
<!-- General Directory-->
+
  <!-- General Directory-->
 
  <volume fstype    = "cifs"
 
  <volume fstype    = "cifs"
 
         server    = "sme.server.com"
 
         server    = "sme.server.com"
Line 272: Line 284:  
         sgrp      = "admins"/>
 
         sgrp      = "admins"/>
 
  </pam_mount>
 
  </pam_mount>
_EOF
+
_EOF
    +
You may need to add a 'sec' option like this:
 +
 +
options    = "uid=%(USER),nosuid,nodev,noexec,sec=ntlmssp,vers=1.0"
    
Now when you login as a domain user your shares should mount and you should have full sudo access.
 
Now when you login as a domain user your shares should mount and you should have full sudo access.
      
==Miscellaneous Notes==
 
==Miscellaneous Notes==
Retrieved from "https://wiki.koozali.org/Special:MobileDiff/31466...38932"

Navigation menu