I used two tutorials - Ubuntu Community Howto, and Cat in the Red Hat. Basically, since I already had Kerberos authentication working, I just installed the necessary packages:
sudo apt-get install nss-updatedb libnss-db libpam-ccreds
and then edited my /etc/pam.d/common-auth file as per Cat in the Red Hat's instructions.
Listed here is the entire contents of my /etc/pam.d/common-auth file (this allows me to authenticate using first AD credentials, then Unix accounts, then cached credentials):
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth [default=ignore success=1 service_err=reset] pam_krb5.so use_first_pass
auth [default=die success=done] pam_ccreds.so action=validate use_first_pass
auth sufficient pam_ccreds.so action=store use_first_pass
auth required pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
Some of the errors I encountered:
Firstly, caching will not work if you have a line like the following:
#Windows Domain Auth
#auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE
This basically skips everything else when a successful kerberos authentication is made. I just commented this line out, and it worked fine.
If you receive an error such as "
su: Error in service module
" when trying to login, it may be that your file is misconfigured. Check whether /var/cache/.security.db
is being created or updated - if it isn't, then most likely PAM isn't reaching the line where pam_ccreds.so
is referenced. Check that you don't have any auth sufficient
lines where they shouldn't be.If you're interested, there's also quite a nice GUI for Active Directory integration at Likewise. I haven't used it, but looks like an easy way to setup AD authentication from Ubuntu without editing heaps of config files.
No comments:
Post a Comment