Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
infra
ansible-shared
samba
Commits
9bfa49aa
Commit
9bfa49aa
authored
Apr 19, 2022
by
Lars Beckers
Browse files
Merge branch 'fix-pam-auth' into 'master'
fix building pam config See merge request
!7
parents
43ad6950
42c343d7
Pipeline
#3967
passed with stage
in 39 seconds
Changes
5
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
ad-auth/handlers/main.yml
View file @
9bfa49aa
---
-
name
:
regenerate pam config
# I kill that cat
-
name
:
disable pam-auth-update heuristic
file
:
path
:
/var/lib/pam/
state
:
"
{{
item
}}"
mode
:
"
0755"
owner
:
root
group
:
root
with_items
:
-
absent
-
directory
listen
:
"
regenerate
pam
config"
-
name
:
update pam
command
:
pam-auth-update --force
environment
:
DEBIAN_FRONTEND
:
noninteractive
listen
:
"
regenerate
pam
config"
-
name
:
clear sssd cache
command
:
sss_cache -E
...
...
ad-auth/tasks/pam.yml
View file @
9bfa49aa
...
...
@@ -25,17 +25,34 @@
-
pamunix.stat.checksum != 'f3703a58a041745d6b70b9ebb179736653d32ef4'
-
name
:
ensure pam applies customized configs
copy
:
src
:
"
pam/{{
item
}}"
template
:
src
:
"
pam/{{
item
}}
.j2
"
dest
:
"
/usr/share/pam-configs/{{
item
}}"
owner
:
root
group
:
root
mode
:
'
0644'
notify
:
-
disable pam-auth-update heuristic
-
regenerate pam config
with_items
:
-
umask
-
sss-custom
-
unix-custom
tags
:
-
pam
-
name
:
ensure we readout current debconf
debconf
:
name
:
libpam-runtime
register
:
debconf_libpam
-
name
:
ensure debconf is updated
debconf
:
name
:
libpam-runtime
question
:
libpam-runtime/profiles
vtype
:
multiselect
value
:
>-
{{ debconf_libpam["current"]["libpam-runtime/profiles"].split(", ") |
map("regex_replace", '^(unix|sss)$', '\\1-custom') |
join(', ') }}
notify
:
-
disable pam-auth-update heuristic
-
regenerate pam config
ad-auth/
fil
es/pam/sss-custom
→
ad-auth/
templat
es/pam/sss-custom
.j2
View file @
9bfa49aa
Name: SSS authentication
Name: SSS authentication
custom
Default: yes
Conflicts: sss
Priority: 301
...
...
ad-auth/
fil
es/pam/umask
→
ad-auth/
templat
es/pam/umask
.j2
View file @
9bfa49aa
File moved
ad-auth/
fil
es/pam/unix-custom
→
ad-auth/
templat
es/pam/unix-custom
.j2
View file @
9bfa49aa
Name: Unix authentication
Name: Unix authentication
custom
Default: yes
Conflicts: unix
Priority: 300
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_unix.so
use
_first_pass nullok_secure
[success=end default=ignore] pam_unix.so
try
_first_pass
{{ "
nullok_secure
" if ansible_distribution_major_version|int(default=99) < 11 else "nullok" }}
Auth-Initial:
[success=end default=ignore] pam_unix.so
use
_first_pass nullok_secure
[success=end default=ignore] pam_unix.so
try
_first_pass
{{ "
nullok_secure
" if ansible_distribution_major_version|int(default=99) < 11 else "nullok" }}
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
...
...
@@ -19,6 +19,7 @@ Session-Initial:
required pam_unix.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
[success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass
{{ "
sha512
" if ansible_distribution_major_version|int(default=99) < 11 else "yescrypt" }}
Password-Initial:
[success=end default=ignore] pam_unix.so obscure sha512
[success=end default=ignore] pam_unix.so obscure {{ "sha512" if ansible_distribution_major_version|int(default=99) < 11 else "yescrypt" }}
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment