...
- User information : Enable LDAP support, LDAP search base DN : ou=people,dc=univ-rennes1,dc=fr, LDAP server : ldap://ldapglobal.univ-rennes1.fr
- Authentication : Enable Kerberos support, Realm : UNIV-RENNES1.FR, KDCs : kerb.ifsic kerb1.univ-rennes1.fr:88, Admin servers : kerb.ifsic kerb1.univ-rennes1.fr:749
- sur les gentoo de l'IFSIC : il faut installer les paquets mit-krb5 et pam_krb5 et au final le fichier /etc/pam.d/system-auth doit avoir l'allure suivante :
Bloc de code auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_krb5.so try_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
...
Bloc de code |
---|
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = UNIV-RENNES1.FR ticket_lifetime = 24h forwardable = yes [realms] UNIV-RENNES1.FR = { kdc = kerb.ifsickerb1.univ-rennes1.fr:88 kdc = kerb2.univ-rennes1.fr:88 admin_server = kerb.ifsickerb1.univ-rennes1.fr:749 default_domain = univ-rennes1.fr } [domain_realm] .univ-rennes1.fr = UNIV-RENNES1.FR univ-rennes1.fr = UNIV-RENNES1.FR [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } |
...