diff options
author | Jonathan Bauer | 2013-06-18 19:08:00 +0200 |
---|---|---|
committer | Jonathan Bauer | 2013-06-18 19:08:00 +0200 |
commit | 24023c6869de453e675d77be97f7e6cf48ed3a39 (patch) | |
tree | b6be9bb1fb528d7bed9efcf2c7476af86577efa2 /remote/modules/pam | |
parent | [pam] add config files for rpc services (diff) | |
download | tm-scripts-24023c6869de453e675d77be97f7e6cf48ed3a39.tar.gz tm-scripts-24023c6869de453e675d77be97f7e6cf48ed3a39.tar.xz tm-scripts-24023c6869de453e675d77be97f7e6cf48ed3a39.zip |
[pam] home directory per kerberos (alpha)
Diffstat (limited to 'remote/modules/pam')
14 files changed, 35 insertions, 13 deletions
diff --git a/remote/modules/pam/data/etc/idmapd.conf b/remote/modules/pam/data/etc/idmapd.conf index 61cfe2d9..2253cf0d 100644 --- a/remote/modules/pam/data/etc/idmapd.conf +++ b/remote/modules/pam/data/etc/idmapd.conf @@ -4,7 +4,7 @@ Verbosity = 0 Pipefs-Directory = /run/rpc_pipefs # set your own domain here, if id differs from FQDN minus hostname Domain = uni-freiburg.de - # localdomain +# localdomain [Mapping] diff --git a/remote/modules/pam/data/etc/pam.d/common-account b/remote/modules/pam/data/etc/pam.d/common-account index 3a5d5a14..26055551 100644 --- a/remote/modules/pam/data/etc/pam.d/common-account +++ b/remote/modules/pam/data/etc/pam.d/common-account @@ -23,4 +23,5 @@ account requisite pam_deny.so # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) +account required pam_krb5.so # end of pam-auth-update config diff --git a/remote/modules/pam/data/etc/pam.d/common-auth b/remote/modules/pam/data/etc/pam.d/common-auth index 1fa577e7..088ed13f 100644 --- a/remote/modules/pam/data/etc/pam.d/common-auth +++ b/remote/modules/pam/data/etc/pam.d/common-auth @@ -14,7 +14,8 @@ # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) -auth [success=2 default=ignore] pam_unix.so +auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 +auth [success=2 default=ignore] pam_unix.so try_first_pass auth [success=1 default=ignore] pam_ldap.so use_first_pass nullok_secure # here's the fallback if no module succeeds auth requisite pam_deny.so diff --git a/remote/modules/pam/data/etc/pam.d/common-session b/remote/modules/pam/data/etc/pam.d/common-session index c5813892..e3180dd4 100644 --- a/remote/modules/pam/data/etc/pam.d/common-session +++ b/remote/modules/pam/data/etc/pam.d/common-session @@ -26,8 +26,10 @@ session required pam_permit.so # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) -session [success=1] pam_unix.so -session [success=ok] pam_ldap.so +session [success=3] pam_unix.so +session [success=2] pam_krb5.so minimum_uid=1000 +session [success=1] pam_ldap.so session optional pam_mkhomedir.so skel=/etc/skel umask=0022 +session optional pam_script.so session required pam_systemd.so kill-session-processes=1 # end of pam-auth-update config diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service new file mode 120000 index 00000000..194aba77 --- /dev/null +++ b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service @@ -0,0 +1 @@ +../rpc-gssd.service
\ No newline at end of file diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service new file mode 120000 index 00000000..66a28252 --- /dev/null +++ b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service @@ -0,0 +1 @@ +../rpc-idmapd.service
\ No newline at end of file diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service deleted file mode 120000 index f68f14b9..00000000 --- a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service +++ /dev/null @@ -1 +0,0 @@ -../rpc-sercices.service
\ No newline at end of file diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service b/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service new file mode 100644 index 00000000..6623428d --- /dev/null +++ b/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service @@ -0,0 +1,7 @@ +[Unit] +Description=NFS rpcsec_gss daemon +Requires=run-rpc_pipefs.mount +After=run-rpc_pipefs.mount + +[Service] +ExecStart=/usr/sbin/rpc.gssd -f -vvv diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service b/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service new file mode 100644 index 00000000..c4da93e7 --- /dev/null +++ b/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service @@ -0,0 +1,7 @@ +[Unit] +Description=NFSv4 ID-name mapping daemon +Requires=network.target run-rpc_pipefs.mount +After=network.target + +[Service] +ExecStart=/usr/sbin/rpc.idmapd -f diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service b/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service deleted file mode 100644 index db6b115a..00000000 --- a/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=Start RPC services -Requires=activate-nss-ldap.service -After=activate-nss-ldap.service - -[Service] -ExecStart=/usr/sbin/rpc.gssd -ExecStart=/usr/sbin/rpc.idmapd diff --git a/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount b/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount new file mode 100644 index 00000000..692adce8 --- /dev/null +++ b/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount @@ -0,0 +1,7 @@ +[Unit] +Description=Pipefs RPC filesystem + +[Mount] +What=rpc_pipefs +Where=/run/rpc_pipefs +Type=rpc_pipefs diff --git a/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close new file mode 120000 index 00000000..a12002a7 --- /dev/null +++ b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close @@ -0,0 +1 @@ +/etc/pam-script/pam_script_ses_close
\ No newline at end of file diff --git a/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open new file mode 120000 index 00000000..783d5605 --- /dev/null +++ b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open @@ -0,0 +1 @@ +/etc/pam-script/pam_script_ses_open
\ No newline at end of file diff --git a/remote/modules/pam/pam.conf b/remote/modules/pam/pam.conf index 5f762481..38600f01 100644 --- a/remote/modules/pam/pam.conf +++ b/remote/modules/pam/pam.conf @@ -6,6 +6,7 @@ REQUIRED_INSTALLED_PACKAGES=" krb5-config libpam-krb5 libssl-dev + ldap-utils " REQUIRED_CONTENT_PACKAGES=" libpam0g @@ -31,6 +32,7 @@ REQUIRED_BINARIES=" umount.crypt_LUKS mount.crypto_LUKS umount.crypto_LUKS + ldapsearch " REQUIRED_DIRECTORIES=" /lib |