[RESOLVIDO] Login Ldap rede off - cache de credenciais

eduardobbastos
(usa Ubuntu)

Enviado em 02/03/2016 - 14:40h

Eu estou com uma dificuldade enorme para resolver o seguinte problema. Domínio com lado e samba 3 como backend. Esta funcionando perfeitamente transparente pra Win, Linux e ate uma maquina Mac deu para add e autenticar. Meu parque de maquinas estão com Mint 17.3 64 interface Mate. Todas as estão no domínio e são capazes de carregar os diretórios compartilhados e respeitam as politicas do samba. Agora eu preciso permitir que o cliente faça autenticação mesmo que a rede esteja offline, ou seja mesmo que ldap não esteja acessível. Obviamente pra usuários que já tenham se autenticado alguma vez na maquina em questão. Preciso que funcione com no AD do Win. Que armazene o cache de credencial e que login passe mesmo sem rede.

Eu já implementado as libs sssd e fiz a configuração do sssd.conf e analisando o log setado em 10 esta ok não retorna nenhum erro.

eduardobbastos
(usa Ubuntu)

Enviado em 03/03/2016 - 20:51h

Eu encartei a solução e não foi com sssd. Como sempre o mais simple é o caminho.

http://ubuntuforums.org/showthread.php?t=1708785

Instales estes pacotes:

aptitude -y install libnss-ldap nscd nss-updatedb libnss-db libpam-ccreds

 

Edite este arquivo /etc/pam.d/common-account conforme

#

# /etc/pam.d/common-account - authorization settings common to all services

#

# This file is included from other service-specific PAM config files,

# and should contain a list of the authorization modules that define

# the central access policy for use on the system.  The default is to

# only deny service to users whose accounts are expired in /etc/shadow.

#

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.

# To take advantage of this, it is recommended that you configure any

# local modules either before or after the default block, and use

# pam-auth-update to manage selection of other modules.  See

# pam-auth-update(8) for details.

#



# here are the per-package modules (the "Primary" block)

account	[success=2 new_authtok_reqd=done default=ignore]	pam_unix.so 

account	[success=1 authinfo_unavail=1 default=ignore]	pam_ldap.so 

# here's the fallback if no module succeeds

account	requisite			pam_deny.so

# prime the stack with a positive return value if there isn't one already;

# this avoids us returning an error just because nothing sets a success code

# since the modules above will each just jump around

account	required			pam_permit.so

# and here are more per-package modules (the "Additional" block)

# end of pam-auth-update config

 

agore edite este arquivo /etc/pam.d/common-auth

#

# /etc/pam.d/common-auth - authentication settings common to all services

#

# This file is included from other service-specific PAM config files,

# and should contain a list of the authentication modules that define

# the central authentication scheme for use on the system

# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the

# traditional Unix authentication mechanisms.

#

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.

# To take advantage of this, it is recommended that you configure any

# local modules either before or after the default block, and use

# pam-auth-update to manage selection of other modules.  See

# pam-auth-update(8) for details.



# here are the per-package modules (the "Primary" block)

auth	[success=4 default=ignore]			pam_unix.so nullok_secure

auth	[success=1 authinfo_unavail=ignore default=2]	pam_ldap.so use_first_pass

auth	[success=2 default=1]				pam_ccreds.so action=validate use_first_pass

auth	[default=1]					pam_ccreds.so action=store

auth	requisite			pam_deny.so

auth	required			pam_permit.so

 

Vamos continuar e editar este arquivo /etc/pam.d/common-session

#

# /etc/pam.d/common-session - session-related modules common to all services

#

# This file is included from other service-specific PAM config files,

# and should contain a list of modules that define tasks to be performed

# at the start and end of sessions of *any* kind (both interactive and

# non-interactive).

#

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.

# To take advantage of this, it is recommended that you configure any

# local modules either before or after the default block, and use

# pam-auth-update to manage selection of other modules.  See

# pam-auth-update(8) for details.



# here are the per-package modules (the \"Primary\" block)

session	[default=1]			pam_permit.so

# here's the fallback if no module succeeds

session	requisite			pam_deny.so

# prime the stack with a positive return value if there isn't one already;

# this avoids us returning an error just because nothing sets a success code

# since the modules above will each just jump around

session	required			pam_permit.so

# and here are more per-package modules (the \"Additional\" block)

session	required	pam_unix.so 

session required	pam_mkhomedir.so skel=/etc/skel/

session	optional	pam_ldap.so 

# end of pam-auth-update config

 

Este arquivo aqui também precisa ser editado /etc/nsswitch.conf

# /etc/nsswitch.conf

#

# Example configuration of GNU Name Service Switch functionality.

# If you have the `glibc-doc-reference' and `info' packages installed, try:

# `info libc "Name Service Switch"' for information about this file.



passwd:         compat ldap [NOTFOUND=return] db

group:          compat ldap [NOTFOUND=return] db

shadow:         compat ldap



hosts:          files dns

networks:       files



protocols:      db files

services:       db files

ethers:         db files

rpc:            db files



netgroup:       nis ldap

 

é necessário criar um script
/etc/cron.hourly/nssupdate.sh

#!/bin/sh

nss_updatedb ldap

exit 0

 

Execute este comando para permitir execução

chmod +x /etc/cron.hourly/nssupdate.sh

 

Depois basta reiniciar.
Atenção é preciso fazer o login ao menos uma vez com ldap sincronizado.