Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
S
samba
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Locked Files
Issues
0
Issues
0
List
Boards
Labels
Service Desk
Milestones
Iterations
Merge Requests
0
Merge Requests
0
Requirements
Requirements
List
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Test Cases
Security & Compliance
Security & Compliance
Dependency List
License Compliance
Operations
Operations
Incidents
Environments
Packages & Registries
Packages & Registries
Container Registry
Analytics
Analytics
CI / CD
Code Review
Insights
Issue
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
infra
ansible-shared
samba
Commits
2fa7da36
Commit
2fa7da36
authored
Nov 19, 2020
by
Lars Beckers
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
ad-auth: custom pam configs to prefer sss over unix
parent
ad9afb4a
Pipeline
#2613
passed with stage
in 45 seconds
Changes
3
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
72 additions
and
4 deletions
+72
-4
ad-auth/files/pam/sss-custom
ad-auth/files/pam/sss-custom
+23
-0
ad-auth/files/pam/unix-custom
ad-auth/files/pam/unix-custom
+24
-0
ad-auth/tasks/pam.yml
ad-auth/tasks/pam.yml
+25
-4
No files found.
ad-auth/files/pam/sss-custom
0 → 100644
View file @
2fa7da36
Name: SSS authentication
Default: yes
Conflicts: sss
Priority: 301
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_sss.so ignore_unknown_user forward_pass
Auth-Initial:
[success=end default=ignore] pam_sss.so ignore_unknown_user forward_pass
Account-Type: Additional
Account:
sufficient pam_localuser.so
[default=bad success=ok user_unknown=ignore] pam_sss.so
Session-Type: Additional
Session-Interactive-Only: yes
Session:
optional pam_sss.so
Password-Type: Primary
Password:
sufficient pam_sss.so use_authtok
Password-Initial:
sufficient pam_sss.so
ad-auth/files/pam/unix-custom
0 → 100644
View file @
2fa7da36
Name: Unix authentication
Default: yes
Conflicts: unix
Priority: 300
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_unix.so use_first_pass nullok_secure
Auth-Initial:
[success=end default=ignore] pam_unix.so use_first_pass nullok_secure
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Account-Initial:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Session-Type: Additional
Session:
required pam_unix.so
Session-Initial:
required pam_unix.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
Password-Initial:
[success=end default=ignore] pam_unix.so obscure sha512
ad-auth/tasks/pam.yml
View file @
2fa7da36
---
# file: roles/ad-auth/tasks/pam.yml
-
name
:
ensure pam applies a general umask
-
name
:
retrieve data of overwritten pam configs (unix)
stat
:
path
:
"
/usr/share/pam-configs/unix"
checksum_algorithm
:
"
sha1"
register
:
"
pamunix"
-
name
:
retrieve data of overwritten pam configs (sss)
stat
:
path
:
"
/usr/share/pam-configs/sss"
checksum_algorithm
:
"
sha1"
register
:
"
pamsss"
-
name
:
check that overwritten pam configs were not updated
fail
:
msg
:
"
The
original
PAM
configs
(unix/sss)
that
we
overwrite
have
changed."
when
:
(pamunix.stat.checksum != '727dc8f53ceaea0264d0877fcbb2a52eb341ff10'
or pamsss.stat.checksum != '3c1d4e9fa522e2ec9729260d3b108ef31df8ef9d')
-
name
:
ensure pam applies customized configs
copy
:
src
:
pam/umask
dest
:
/usr/share/pam-configs/umask
src
:
"
pam/{{
item
}}"
dest
:
"
/usr/share/pam-configs/{{
item
}}"
owner
:
root
group
:
root
mode
:
'
0644'
notify
:
-
regenerate pam config
with_items
:
-
umask
-
sss-custom
-
unix-custom
tags
:
-
pam
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment