|
KERBEROS
|
|
|
If you use Kerberos, the default Kerberos realm should be configured in order for krb5-libs and therefore tools such as `kinit` to work out of the box.
|
|
|
{sysconfdir}/krb5.conf
|
|
|
[libdefaults]
default_realm = MYREALM
|
|
|
[realms]
MYREALM = {
kdc = kdc.myrealm.org
}
|
|
|
[domain_realm]
myrealm.org = MYREALM
.myrealm.org = MYREALM
|
|
|
SSSD
|
|
|
Authselect encourages users to use SSSD wherever possible. There are many configuration options, see sssd.conf(5). This is a minimal configuration that creates one LDAP domain called `default`. The LDAP server is auto-discovered through DNS lookups.
|
|
|
{sysconfdir}/sssd/sssd.conf
|
|
|
[sssd]
config_file_version = 2
domains = default
|
|
|
[domain/default]
id_provider = ldap
ldap_uri = _srv_
dns_discovery_domain = myrealm
|
|
|
And here is a configuration snippet for the same domain but now the authentication is done over Kerberos. The KDC server is auto-discovered through DNS lookups.
|
|
|
[domain/default]
id_provider = ldap
auth_provider = krb5
ldap_uri = _srv_
krb5_server = _srv_
krb5_realm = MYREALM
dns_discovery_domain = myrealm
|
|
|
If you want to configure SSSD for an IPA or Active Directory domain, use the `realm` tool. This will perform an initial setup which involves creating a Kerberos keytab and generating basic SSSD configuration. You can then tune it up by modifying {sysconfdir}/sssd/sssd.conf.
|
|
|
WINBIND
|
|
|
If you want to configure the machine to use Winbind, use `realm`. This will perform an initial setup which involves creating a Kerberos keytab and running `adcli` to join the domain. It also makes changes to `smb.conf`. You can then tune it up by modifying {sysconfdir}/samba/smb.conf.
|
|
|
NIS
|
|
|
There are several places that needs to be configured in order to make NIS authentication work. First, you need to set NIS domain and optionally also NIS server in {sysconfdir}/yp.conf.
|
|
|
{sysconfdir}/yp.conf
|
|
|
domain mydomain broadcast
# or
# domain mydomain server myserver
|
|
