blob: 65c9a01404eda8a3616a9b55a44fec35e0a6716f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
<refsect1 id='modified-default-options'>
<title>MODIFIED DEFAULT OPTIONS</title>
<para>
Certain option defaults do not match their respective backend
provider defaults, these option names and AD provider-specific
defaults are listed below:
</para>
<refsect2 id='krb5_modifications'>
<title>KRB5 Provider</title>
<itemizedlist>
<listitem>
<para>
krb5_validate = true
</para>
</listitem>
<listitem>
<para>
krb5_use_enterprise_principal = true
</para>
</listitem>
</itemizedlist>
</refsect2>
<refsect2 id='ldap_modifications'>
<title>LDAP Provider</title>
<itemizedlist>
<listitem>
<para>
ldap_schema = ad
</para>
</listitem>
<listitem>
<para>
ldap_force_upper_case_realm = true
</para>
</listitem>
<listitem>
<para>
ldap_id_mapping = true
</para>
</listitem>
<listitem>
<para>
ldap_sasl_mech = GSS-SPNEGO
</para>
</listitem>
<listitem>
<para>
ldap_referrals = false
</para>
</listitem>
<listitem>
<para>
ldap_account_expire_policy = ad
</para>
</listitem>
<listitem>
<para>
ldap_use_tokengroups = true
</para>
</listitem>
<listitem>
<para>
ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)
</para>
<para>
The AD provider looks for a different principal than the
LDAP provider by default, because in an Active Directory
environment the principals are divided into two groups
- User Principals and Service Principals. Only User
Principal can be used to obtain a TGT and by default,
computer object's principal is constructed from
its sAMAccountName and the AD realm. The well-known
host/hostname@REALM principal is a Service Principal
and thus cannot be used to get a TGT with.
</para>
</listitem>
</itemizedlist>
</refsect2>
<refsect2 id='nss_modifications'>
<title>NSS configuration</title>
<itemizedlist>
<listitem>
<para>
fallback_homedir = /home/%d/%u
</para>
<para>
The AD provider automatically sets
"fallback_homedir = /home/%d/%u" to provide personal
home directories for users without the homeDirectory
attribute. If your AD Domain is properly
populated with Posix attributes, and you want to avoid
this fallback behavior, you can explicitly
set "fallback_homedir = %o".
</para>
<para>
Note that the system typically expects a home directory
in /home/%u folder. If you decide to use a different
directory structure, some other parts of your system may
need adjustments.
</para>
<para>
For example automated creation of home directories in
combination with selinux requires selinux adjustment,
otherwise the home directory will be created with wrong
selinux context.
</para>
</listitem>
</itemizedlist>
</refsect2>
</refsect1>
|
