ROSA Linux Bugzilla – Bug 5448
drakxtools needs to be properly configured for various Domains.
Last modified: 2015-07-11 02:05:44 MSD
This is somewhat of a Place Holder bug, as it will be used as the basis to resolve a complex subbject of issues with how various Domain Topologies are configured by DrakAuth, libuser and the Name Service Switch (NSS)
The Goals are:
Configure the NSS to each Domain structure correctly.
Configure libuser.conf to refect that change.
Included are the following types of Domains and configuration cases:
Active Directory Domains with Winbind.
Active Directory Domains with RFC 2037 Support. (Samba 4 normally.)
Classic NT Domains (Samba 3 without LDAP usually.)
Open Directory Domains (OpenLDAP, Kerberos, and Samba 3/4 working together without AD)
Users should be able to:
Log in Securely (NSS and PAM).
Change Passwords (libuser)
Cache Credentials for offline authentication (nss_db and pam_ccreds)
Okay I'm still having issues with Drakauth configuring PAM in such a way that even root can't log in.
I've been using sssd for some time, I can say with certainty it works, but the Rosa login screen is horrendous with it. Every user is displayed.
Try current build of drakxtools please.
Command to add i586 container:
urpmi.addmedia 2520025 http://abf-downloads.rosalinux.ru/rosa2014.1/container/2520025/i586/main/release/
Command to add x86_64 container:
urpmi.addmedia 2520026 http://abf-downloads.rosalinux.ru/rosa2014.1/container/2520026/x86_64/main/release/
Improvements are pretty modest. It generates configurations for Windows AD, LDAP and Kerberos 5 which do work (reboot might be required). Other aspects haven't been addressed yet. Feedback is highly appreciated.
Does it use pam_sssd or nslcd and pam_krb5?
There is no sssd support yet. It's use is being considered however.
As for existing caching solution I am not sure it works actually. If not, I personally think it should be replaced with sssd rather then fixed as is.
If you are referring to the way things used to work, you are absolutely
right. The way it used to work, nslcd would handle LDAP, and and if you
wanted to cache credentials from LDAP, you needed a command line utility
called nss_updatedb, this had to be installed along side pam_ccreds. To
cache LDAP Credentials, you had to run as root, nss_updatedb passwd ldap
and that would copy EVERY user name from LDAP to nss_db... the NOTFOUND
Directive would cause nslcd's module to be bypassed and use nss_db instead.
pam_ccreds actually worked as advertised with Kerberos, but it relied on
Prior to the release of nslcd, you had nss_ldap which could render your
machine unable to Login even as root. The only way to fix that was to
disable nss_ldap and getent LDAP acccounts into /etc/passwd.
See, nss_db is technically a different service unrelated to LDAP. It's a local service from a populated nss_updatedb utility. You have to run this from root.