Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Open sidebar
infra
ansible-shared
samba
Commits
2fa7da36
Commit
2fa7da36
authored
Nov 19, 2020
by
Lars Beckers
Browse files
ad-auth: custom pam configs to prefer sss over unix
parent
ad9afb4a
Pipeline
#2613
passed with stage
in 45 seconds
Changes
3
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
72 additions
and
4 deletions
+72
-4
ad-auth/files/pam/sss-custom
ad-auth/files/pam/sss-custom
+23
-0
ad-auth/files/pam/unix-custom
ad-auth/files/pam/unix-custom
+24
-0
ad-auth/tasks/pam.yml
ad-auth/tasks/pam.yml
+25
-4
No files found.
ad-auth/files/pam/sss-custom
0 → 100644
View file @
2fa7da36
Name: SSS authentication
Default: yes
Conflicts: sss
Priority: 301
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_sss.so ignore_unknown_user forward_pass
Auth-Initial:
[success=end default=ignore] pam_sss.so ignore_unknown_user forward_pass
Account-Type: Additional
Account:
sufficient pam_localuser.so
[default=bad success=ok user_unknown=ignore] pam_sss.so
Session-Type: Additional
Session-Interactive-Only: yes
Session:
optional pam_sss.so
Password-Type: Primary
Password:
sufficient pam_sss.so use_authtok
Password-Initial:
sufficient pam_sss.so
ad-auth/files/pam/unix-custom
0 → 100644
View file @
2fa7da36
Name: Unix authentication
Default: yes
Conflicts: unix
Priority: 300
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_unix.so use_first_pass nullok_secure
Auth-Initial:
[success=end default=ignore] pam_unix.so use_first_pass nullok_secure
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Account-Initial:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Session-Type: Additional
Session:
required pam_unix.so
Session-Initial:
required pam_unix.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
Password-Initial:
[success=end default=ignore] pam_unix.so obscure sha512
ad-auth/tasks/pam.yml
View file @
2fa7da36
---
# file: roles/ad-auth/tasks/pam.yml
-
name
:
ensure pam applies a general umask
-
name
:
retrieve data of overwritten pam configs (unix)
stat
:
path
:
"
/usr/share/pam-configs/unix"
checksum_algorithm
:
"
sha1"
register
:
"
pamunix"
-
name
:
retrieve data of overwritten pam configs (sss)
stat
:
path
:
"
/usr/share/pam-configs/sss"
checksum_algorithm
:
"
sha1"
register
:
"
pamsss"
-
name
:
check that overwritten pam configs were not updated
fail
:
msg
:
"
The
original
PAM
configs
(unix/sss)
that
we
overwrite
have
changed."
when
:
(pamunix.stat.checksum != '727dc8f53ceaea0264d0877fcbb2a52eb341ff10'
or pamsss.stat.checksum != '3c1d4e9fa522e2ec9729260d3b108ef31df8ef9d')
-
name
:
ensure pam applies customized configs
copy
:
src
:
pam/
umask
dest
:
/usr/share/pam-configs/
umask
src
:
"
pam/
{{
item
}}"
dest
:
"
/usr/share/pam-configs/
{{
item
}}"
owner
:
root
group
:
root
mode
:
'
0644'
notify
:
-
regenerate pam config
with_items
:
-
umask
-
sss-custom
-
unix-custom
tags
:
-
pam
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
