From 74aa0bc6779af38018a03fd2cf4419fe85917904 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 07:31:45 +0200 Subject: Adding upstream version 2.9.4. Signed-off-by: Daniel Baumann --- src/man/eu/include/ad_modified_defaults.xml | 104 ++++++++++++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 src/man/eu/include/ad_modified_defaults.xml (limited to 'src/man/eu/include/ad_modified_defaults.xml') diff --git a/src/man/eu/include/ad_modified_defaults.xml b/src/man/eu/include/ad_modified_defaults.xml new file mode 100644 index 0000000..6ee0537 --- /dev/null +++ b/src/man/eu/include/ad_modified_defaults.xml @@ -0,0 +1,104 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = GSS-SPNEGO + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + + NSS configuration + + + + fallback_homedir = /home/%d/%u + + + The AD provider automatically sets "fallback_homedir = /home/%d/%u" to +provide personal home directories for users without the homeDirectory +attribute. If your AD Domain is properly populated with Posix attributes, +and you want to avoid this fallback behavior, you can explicitly set +"fallback_homedir = %o". + + + Note that the system typically expects a home directory in /home/%u +folder. If you decide to use a different directory structure, some other +parts of your system may need adjustments. + + + For example automated creation of home directories in combination with +selinux requires selinux adjustment, otherwise the home directory will be +created with wrong selinux context. + + + + + -- cgit v1.2.3