From 31a2a57e89a515e2f9bfc49263c3fa1fc6bd9b2a Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 15 May 2017 12:54:29 -0500 Subject: [PATCH] Add "my" PAM configuration --- etc/pam.d/system-auth-dustin | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 etc/pam.d/system-auth-dustin diff --git a/etc/pam.d/system-auth-dustin b/etc/pam.d/system-auth-dustin new file mode 100644 index 0000000..9e8b0f4 --- /dev/null +++ b/etc/pam.d/system-auth-dustin @@ -0,0 +1,35 @@ +## PAM configuration for Active Directory authentication +## This file complies with the Gentoo PAM layout; other distributions may +## requre different blocks in separate files, so adjust accordingly. +## +## UNIX authentication is attempted first, allowing local users to log in even +## if domain authentication is unavailable. For this to work, 'compat' must be +## listed before 'winbind' in /etc/nsswitch.conf. +## +## Dustin C. Hatch +## +## This file is public domain. I don't care what you do with/to it. +# vim: set ft=pamconf : + +auth required pam_env.so +auth [success=1 default=ignore] pam_succeed_if.so uid >= 100000000 quiet +auth [success=2 default=ignore] pam_unix.so try_first_pass likeauth +auth [success=1 default=ignore] pam_winbind.so try_first_pass krb5_auth krb5_ccache_type=FILE cached_login +auth requisite pam_deny.so +auth required pam_permit.so + +account sufficient pam_winbind.so +account required pam_unix.so +account optional pam_permit.so + +password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 +password [success=2 default=ignore] pam_unix.so try_first_pass use_authtok sha512 shadow +password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass +password requisite pam_deny.so +password required pam_permit.so + +session required pam_mkhomedir.so skel=/etc/skel umask=0022 +session required pam_limits.so +session required pam_env.so +session required pam_unix.so +session optional pam_permit.so