|
And here is a configuration snippet for the same domain but now the authentication is done over Kerberos. The KDC server is auto-discovered through DNS lookups.
|
|
|
authconfig --enableecryptfs --enablepamaccess --updateall
authselect select sssd with-ecryptfs with-pamaccess
|
|
|
authconfig --enableldap --enableldapauth --enablefaillock --updateall
authselect select sssd with-faillock
|
|
|
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall
authselect select sssd with-smartcard
|
|
|
authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall
realm join -U Administrator --client-software=winbind WINBINDDOMAIN
|
|
|
|*Authconfig options* |*Authselect profile*
|--enableldap --enableldapauth |sssd
|--enablesssd --enablesssdauth |sssd
|--enablekrb5 |sssd
|--enablewinbind --enablewinbindauth |winbind
|--enablenis |nis
|
|
|
|*Authconfig options* |*Authselect profile feature*
|--enablesmartcard |with-smartcard
|--enablefingerprint |with-fingerprint
|--enableecryptfs |with-ecryptfs
|--enablemkhomedir |with-mkhomedir
|--enablefaillock |with-faillock
|--enablepamaccess |with-pamaccess
|--enablewinbindkrb5 |with-krb5
|--enableshadow |_none_
|--passalgo |_none_
|
|
|
Authconfig options `--enableshadow` and `--passalgo=sha512` were often used to make sure that passwords are stored in `/etc/shadow` using `sha512` algorithm. *The authselect profiles now use the yescrypt hashing method* and it cannot be changed through an option (only by creating a custom profile). You can just omit these options.
|
|
|
Authconfig shipped a tool called _cacertdir_rehash_. If you depend on this tool, please switch to native _openssl_ command: *openssl rehash <directory>* that serves the same purpose.
|
|
|
AUTHCONFIG TOOLS
|
|
|
Authconfig tries its best to keep users's manual changes to the files it generates. It generates not only PAM configuration files and nsswitch.conf (to setup authentication modules and identity sources) but it also generates simple configuration files for several services such as LDAP and Kerberos.
|
|
|
Authselect does no such things. It does not generate any configuration files beside PAM and nsswitch.conf and it strictly prohibits any manual changes to generated configuration. It provides a set of files called profiles. Each profile describes how the resulting configuration should look like and it can be slightly modified by enabling or disabling certain optional features. If a need arises for a different profile than what authselect ships, the administrator has an option to create a whole new profile and use it with authselect. See authselect-profiles(5) to learn more about profiles.
|
|
|
Authselect enables `pam_pwquality` module to enforce password quality restrictions. This module is enabled only for local users. Remote users should use the password policy that is enforced by the respective remote server.
|
|
|
Authselect encourages users to use SSSD wherever possible. There are many configuration options, see sssd.conf(5). This is a minimal configuration that creates one LDAP domain called `default`. The LDAP server is auto-discovered through DNS lookups.
|
|
|
Depending on your configuration, you need to start required services manually with systemd.
|
|
|
[domain/default]
id_provider = ldap
auth_provider = krb5
ldap_uri = _srv_
krb5_server = _srv_
krb5_realm = MYREALM
dns_discovery_domain = myrealm
|
|
|
[domain/default]
id_provider = ldap
ldap_uri = _srv_
dns_discovery_domain = myrealm
|
|
|
domain mydomain broadcast
# or
# domain mydomain server myserver
|
|
|
[domain_realm]
myrealm.org = MYREALM
.myrealm.org = MYREALM
|
|
|
Even if LDAP is not directly used through `pam_ldap` and `nss_ldap`, it is still useful to configure ldap.conf to configure openldap-libs and indirectly, e.g. LDAP tools such as `ldapsearch`.
|
|
