...
- User information : Enable LDAP support, LDAP search base DN : ou=people,dc=univ-rennes1,dc=fr, LDAP server : ldap://ldapglobal.univ-rennes1.fr
- Authentication : Enable Kerberos support, Realm : UNIV-RENNES1.FR, KDCs : kerb.ifsic kerb1.univ-rennes1.fr:88, Admin servers : kerb.ifsic kerb1.univ-rennes1.fr:749
- sur les gentoo de l'IFSIC : il faut installer les paquets mit-krb5 et pam_krb5 et au final le fichier /etc/pam.d/system-auth doit avoir l'allure suivante :
Bloc de code auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_krb5.so try_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
...
| Bloc de code |
|---|
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = UNIV-RENNES1.FR
ticket_lifetime = 24h
forwardable = yes
[realms]
UNIV-RENNES1.FR = {
kdc = kerb.ifsickerb1.univ-rennes1.fr:88
kdc = kerb2.univ-rennes1.fr:88
admin_server = kerb.ifsickerb1.univ-rennes1.fr:749
default_domain = univ-rennes1.fr
}
[domain_realm]
.univ-rennes1.fr = UNIV-RENNES1.FR
univ-rennes1.fr = UNIV-RENNES1.FR
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
} |
...