tac_plus AD integration with PAM

Yu Wang yuwang at cs.fsu.edu
Thu Mar 20 14:56:22 UTC 2014 

Try use pam_ldap for account (authorize) part. You will need to create 
pam_ldap.conf or ldap.conf, depends on your server OS, to query a user's 
attribute (uid).

Your pam.d/tac_plus account part would look like:

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so 
<------
account     required      pam_permit.so



On Thu, 20 Mar 2014, Donato Rivera wrote:

> Greetings,
>
>
> I am attempting to integrate my tac_plus solution with AD using PAM. I have tried numerous iterations I found online with no luck. I am listing my config below, the krb5.conf seems to pass which I will also list. Any assistance is greatly appreciated.
>
>
> AD Credentials Test using kerberos:
>
>
> [root at pam.d]# kinit Dan
> Password for Dan at domain:
>
> [root at pam.d]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Dan at domain
>
> Valid starting     Expires            Service principal
> 03/20/14 10:00:50  03/20/14 20:00:56  krbtgt/domain
>        renew until 03/27/14 10:00:50
>
>
> Configuration:
>
>
> /etc/tac_plus.conf
>
> key = "TestKey"
> accounting file = /var/log/tac.acct.log
> # authentication users not appearing elsewhere via
> # the file /etc/passwd
> #default authentication = file /etc/passwd
>
>
> # A group that can change some limited configuration on switchports
> # related to host-side network configuration
>
> group = Admin {
>        # login = file /etc/passwd
>        # or authenticated via PAM:
>        # login = PAM
>         service = exec {
>         priv-lvl = 15
>                }
>                 }
>
> user = dan {
>        login = PAM
>        member = Admin
> }
>
>
> /etc/pam.d/tac_plus
>
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_krb5.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_krb5.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_krb5.so
>
>
> /etc/krb5.conf
>
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = domain_name
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
>
> [realms]
> domain_name = {
>  kdc = x.x.x.x
>  admin_server = x.x.x.x
> }
>
> [domain_realm]
> domain_name = domain_name
>
>
> Thanks,
>
> Danny
>

-- 
--Yu Wang

****************************************************
       Computer & Network System Administrator
****************************************************

More information about the Pam-list mailing list