Commit 2fa7da36 authored by Lars Beckers's avatar Lars Beckers

ad-auth: custom pam configs to prefer sss over unix

parent ad9afb4a
Pipeline #2613 passed with stage
in 45 seconds
Name: SSS authentication
Default: yes
Conflicts: sss
Priority: 301
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_sss.so ignore_unknown_user forward_pass
Auth-Initial:
[success=end default=ignore] pam_sss.so ignore_unknown_user forward_pass
Account-Type: Additional
Account:
sufficient pam_localuser.so
[default=bad success=ok user_unknown=ignore] pam_sss.so
Session-Type: Additional
Session-Interactive-Only: yes
Session:
optional pam_sss.so
Password-Type: Primary
Password:
sufficient pam_sss.so use_authtok
Password-Initial:
sufficient pam_sss.so
Name: Unix authentication
Default: yes
Conflicts: unix
Priority: 300
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_unix.so use_first_pass nullok_secure
Auth-Initial:
[success=end default=ignore] pam_unix.so use_first_pass nullok_secure
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Account-Initial:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Session-Type: Additional
Session:
required pam_unix.so
Session-Initial:
required pam_unix.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
Password-Initial:
[success=end default=ignore] pam_unix.so obscure sha512
---
# file: roles/ad-auth/tasks/pam.yml
- name: ensure pam applies a general umask
- name: retrieve data of overwritten pam configs (unix)
stat:
path: "/usr/share/pam-configs/unix"
checksum_algorithm: "sha1"
register: "pamunix"
- name: retrieve data of overwritten pam configs (sss)
stat:
path: "/usr/share/pam-configs/sss"
checksum_algorithm: "sha1"
register: "pamsss"
- name: check that overwritten pam configs were not updated
fail:
msg: "The original PAM configs (unix/sss) that we overwrite have changed."
when: (pamunix.stat.checksum != '727dc8f53ceaea0264d0877fcbb2a52eb341ff10'
or pamsss.stat.checksum != '3c1d4e9fa522e2ec9729260d3b108ef31df8ef9d')
- name: ensure pam applies customized configs
copy:
src: pam/umask
dest: /usr/share/pam-configs/umask
src: "pam/{{ item }}"
dest: "/usr/share/pam-configs/{{ item }}"
owner: root
group: root
mode: '0644'
notify:
- regenerate pam config
with_items:
- umask
- sss-custom
- unix-custom
tags:
- pam
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment