BSI wiki

User Tools

Site Tools

Trace:
mise_en_place_de_sssd

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
mise_en_place_de_sssd [2017/01/27 11:35] – created wurtzmise_en_place_de_sssd [2023/11/01 20:18] (current) – external edit 127.0.0.1
Line 12: Line 12:
   - ajouter sss comme source pour login et mot de passe dans /etc/nsswitch.conf   - ajouter sss comme source pour login et mot de passe dans /etc/nsswitch.conf
   - vérifier que dans le fichier /etc/pam.d/common-session la ligne suivante a été supprimé ou est en commentaire : ''session required    pam_mkhomedir.so umask=0022 skel=/etc/skel''   - vérifier que dans le fichier /etc/pam.d/common-session la ligne suivante a été supprimé ou est en commentaire : ''session required    pam_mkhomedir.so umask=0022 skel=/etc/skel''
 +
 +Pour obtenir les fichiers ci-dessus le mieux est de ce déplacer dans un des répertoire backup par exemple de menkab et de faire des copies.
 +
 +Les sauvegardes de menkab sont sous ''/disk2/backub/menkab/dernier/etc'' pour tous les fichiers du répertoire ''/etc''
 +
 +Le répertoire ''dernier'' est un lien logique vers vers la dernière sauvegarde. Le répertoire a un nom de la forme : ''aaaa-mm-jj:hh:mm:ss_ddd.'' (exemple : ''2017-01-27_12:24:19_ven.'')
  
  
 ============================================= /etc/nsswitch.conf ============================================= /etc/nsswitch.conf
-<blockquote>#+<code> 
 +#
 # /etc/nsswitch.conf # /etc/nsswitch.conf
 # #
Line 79: Line 86:
 aliases:    files nisplus aliases:    files nisplus
  
-sudoers:        files sss</blockquote>+sudoers:        files sss 
 +</code>
  
  
 ============================================= /etc/sssd/sssd.conf  ============================================= /etc/sssd/sssd.conf 
 +<code>
 +[nss]
 +filter_groups = root
 +filter_users = root
 +reconnection_retries = 3
  
 +[pam]
 +reconnection_retries = 3
 + 
 +[sssd]
 +config_file_version = 2
 +reconnection_retries = 3
 +sbus_timeout = 30
 +services = nss, pam
 +domains = IGBMC.U-STRASBG.FR
  
-============================================= /etc/pam.d/common-session +[domain/igbmc.u-strasbg.fr] 
 +#With this as false, a simple "getent passwd" for testing won't work. You must do getent passwd user@domain.com 
 +enumerate true 
 +cache_credentials true 
 +  
 +id_provider ldap 
 +#access_provider ldap 
 +auth_provider krb5 
 +chpass_provider krb5 
 +  
 +#ldap_uri ldaps://igbmc.u-strasbg.fr 
 +ldap_uri ldaps://igbmc.u-strasbg.fr 
 +ldap_search_base dc=igbmc,dc=u-strasbg,dc=fr 
 +#ldap_tls_cacert /etc/ssl/certs/ca-certificates.crt 
 +#ldap_access_filter memberOf=CN=info-igbmc_eq,OU=Equipes,OU=EMC Celerra,DC=igbmc,DC=u-strasbg,DC=fr 
 +  
 +#This parameter requires that the DC present a completely validated certificate chain. If you're testing or don't care, use 'allow' or 'never'
 +#ldap_tls_reqcert = demand 
 +ldap_tls_reqcert = allow
  
 +krb5_realm = IGBMC.U-STRASBG.FR
 +dns_discovery_domain = IGBMC.U-STRASBG.FR
 + 
 +ldap_schema = rfc2307bis
 +ldap_access_order = expire
 +ldap_account_expire_policy = ad
 +ldap_force_upper_case_realm = true
 + 
 +ldap_user_search_base = dc=igbmc,dc=u-strasbg,dc=fr
 +ldap_group_search_base = dc=igbmc,dc=u-strasbg,dc=fr
 +ldap_user_object_class = user
 +ldap_user_name = sAMAccountName
 +ldap_user_fullname = displayName
 +ldap_user_home_directory = unixHomeDirectory
 +#ldap_user_principal = userPrincipalName
 +ldap_group_object_class = group
 +ldap_group_name = sAMAccountName
 + 
 +#Bind credentials
 +#ldap_sasl_mech = GSSAPI
 +#krb5_keytab = /etc/emcldap.keytab
 +#ldap_krb5_keytab = /etc/emcldap.keytab
 +#ldap_sasl_authid = emcldap@IGBMC.U-STRASBG.FR
 +ldap_default_bind_dn = CN=Authentification Cavarelli-Wurtz,OU=Comptes de service,DC=igbmc,DC=u-strasbg,DC=fr
 +ldap_default_authtok = 52S5rF(JrNP5xU
 + 
 +#override_homedir = /home/%u
 +#override_shell = /bin/bash
 + 
 +dyndns_update = true
 +dyndns_refresh_interval = 43200
 +dyndns_update_ptr = true
 +dyndns_ttl = 3600
  
 +debug_level = 7
 +</code>
 +============================================= /etc/pam.d/common-session
 +<code>
 +#
 +# /etc/pam.d/common-session - session-related modules common to all services
 +#
 +# This file is included from other service-specific PAM config files,
 +# and should contain a list of modules that define tasks to be performed
 +# at the start and end of sessions of *any* kind (both interactive and
 +# non-interactive).
 +#
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules.  See
 +# pam-auth-update(8) for details.
  
 +# here are the per-package modules (the "Primary" block)
 +session [default=1] pam_permit.so
 +# here's the fallback if no module succeeds
 +session requisite pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +session required pam_permit.so
 +# The pam_umask module will set the umask according to the system default in
 +# /etc/login.defs and user settings, solving the problem of different
 +# umask settings with different shells, display managers, remote sessions etc.
 +# See "man pam_umask".
 +session optional pam_umask.so
 +# and here are more per-package modules (the "Additional" block)
 +session optional pam_krb5.so 
 +session required pam_unix.so 
 +#session optional pam_ldap.so 
 +session optional pam_systemd.so 
 +# end of pam-auth-update config
 +</code>
  
mise_en_place_de_sssd.1485516901.txt.gz · Last modified: (external edit)