1.2. Choosing an authselect profile
As a system administrator, you can select a profile for the authselect
utility for a specific host. The profile will be applied to every user logging into the host.
Conditions préalables
-
You need
root
credentials to runauthselect
commands
Procédure
Select the
authselect
profile that is appropriate for your authentication provider. For example, for logging into the network of a company that uses LDAP, choosesssd
.# authselect select
sssd
(Optional) You can modify the default profile settings by adding the following options to the
authselect select sssd
orauthselect select winbind
command, for example:-
with-faillock
-
with-smartcard
-
with-fingerprint
-
To see the full list of available options, see Converting your scripts from authconfig to authselect
or the authselect-migration(7)
man page.
Make sure that the configuration files that are relevant for your profile are configured properly before finishing the authselect select
procedure. For example, if the sssd
daemon is not configured correctly and active, running authselect select
results in only local users being able to authenticate, using pam_unix
.
Étapes de la vérification
Verify
sss
entries for SSSD are present in/etc/nsswitch.conf
:passwd: sss files group: sss files netgroup: sss files automount: sss files services: sss files ...
Review the contents of the
/etc/pam.d/system-auth
file forpam_sss.so
entries:# Generated by authselect on Tue Sep 11 22:59:06 2018 # Do not modify this file manually. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so ...