AUTHSELECT−MIGRATIO - Online Linux Manual PageSection : 7
Updated : 2021−06−05
Source :
Note :
NAMEauthselect-migration − A guide how to migrate from authconfig to authselect.
DESCRIPTIONThis manual page explains the main differences between authconfig, the previous tool to configure system authentication and identity sources, and authselect which replaces it. It also explains what actions need to be done in order to migrate from authconfig to authselect.
MAIN DIFFERENCESAuthselect takes a completely different approach to system configuration than the previous tool authconfig. Authconfig tries its best to keep users’s manual changes to the files it generates. It generates not only PAM configuration files and nsswitch.conf (to setup authentication modules and identity sources) but it also generates simple configuration files for several services such as LDAP and Kerberos. Authselect does no such things. It does not generate any configuration files beside PAM and nsswitch.conf and it strictly prohibits any manual changes to generated configuration. It provides a set of files called profiles. Each profile describes how the resulting configuration should look like and it can be slightly modified by enabling or disabling certain optional features. If a need arises for a different profile than what authselect ships, the administrator has an option to create a whole new profile and use it with authselect. See authselect−profiles(5) to learn more about profiles. This may seem like a big disadvantage but the truth is the opposite. Authconfig is a very old tool and the applications providing required services have changed rapidly over the years. Typically, there is no longer a need to have multiple authentication modules in PAM and nsswitch.conf, because the vast majority of use−cases is covered by SSSD. Therefore there is no need to add or remove them specifically. There are also better tools to generate configuration for system daemons that can help you automate the process of joining to a remote domain such as realm. In addition, the shipped profiles give us comprehensive and deterministic system configuration that can be fully tested and is much less error prone. It is also much easier to distribute such configuration across many systems. Probably the most controversial change is that authselect only ships profiles for sssd and winbind providers. Those two providers cover all modern use cases from providing local users and legacy LDAP domain to complex configurations with IPA or Active Directory servers. The profiles no longer contain support for nss−pam−ldapd and users are encouraged to switch to sssd.
JOINING REMOTE DOMAINSYou can use either ipa−client−install or realm to join an IPA domain and realm to join an Active Directory domain. These tools will make sure that the correct authselect profile is selected and all daemons and services are properly configured.
CONVERTING YOUR SCRIPTSIf you use ipa−client−install or realm to join a domain, you can just remove any authconfig call in your scripts. If this is not an option, you need to replace each authconfig call with its equivalent authselect call to select a correct profile with desired features. Then you also need to write configuration file for required services. .it 1 an-trap
Table 1. Relation of authconfig options to authselect profiles Authconfig options Authselect profile −−enableldap −−enableldapauth sssd −−enablesssd −−enablesssdauth sssd −−enablekrb5 sssd −−enablewinbind −−enablewinbindauth winbind −−enablenis nis .it 1 an-trap
Table 2. Relation of authconfig options to authselect profile features lt lt lt lt. T{ Authconfig options T}:T{ Authselect profile feature T} T{ −−enablesmartcard T}:T{ with−smartcard T} T{ −−enablefingerprint T}:T{ with−fingerprint T} T{ −−enableecryptfs T}:T{ with−ecryptfs T} T{ −−enablemkhomedir T}:T{ with−mkhomedir T} T{ −−enablefaillock T}:T{ with−faillock T} T{ −−enablepamaccess T}:T{ with−pamaccess T} T{ −−enablewinbindkrb5 T}:T{ with−krb5 T} T{ −−enableshadow T}:T{ none T} T{ −−passalgo T}:T{ none T} .it 1 an-trap
¶Note ¶.br Authconfig options −−enableshadow and −−passalgo=sha512 were often used to make sure that passwords are stored in /etc/shadow using sha512 algorithm. The authselect profiles now use the yescrypt hashing method and it cannot be changed through an option (only by creating a custom profile). You can just omit these options. Examples. authconfig −−enableldap −−enableldapauth −−enablefaillock −−updateall
authselect select sssd with−faillock
authconfig −−enablesssd −−enablesssdauth −−enablesmartcard −−smartcardmodule=sssd −−updateall
authselect select sssd with−smartcard
authconfig −−enableecryptfs −−enablepamaccess −−updateall
authselect select sssd with−ecryptfs with−pamaccess
authconfig −−enablewinbind −−enablewinbindauth −−winbindjoin=Administrator −−updateall
realm join −U Administrator −−client−software=winbind WINBINDDOMAIN
CONFIGURATION FILESThis section contains snippets for minimal configuration of various services.
LDAPEven if LDAP is not directly used through pam_ldap and nss_ldap, it is still useful to configure ldap.conf to configure openldap−libs and indirectly, e.g. LDAP tools such as ldapsearch. /etc/openldap/ldap.conf. # Set the default base dn
BASE dc=example,dc=com
# Set the default LDAP server
URI ldap://ldap.example.com ldap://ldap−master.example.com:666
KERBEROSIf you use Kerberos, the default Kerberos realm should be configured in order for krb5−libs and therefore tools such as kinit to work out of the box. /etc/krb5.conf. [libdefaults]
default_realm = MYREALM
[realms]
MYREALM = {
kdc = kdc.myrealm.org
}
[domain_realm]
myrealm.org = MYREALM
.myrealm.org = MYREALM
SSSDAuthselect encourages users to use SSSD wherever possible. There are many configuration options, see sssd.conf(5). This is a minimal configuration that creates one LDAP domain called default. The LDAP server is auto−discovered through DNS lookups. /etc/sssd/sssd.conf. [sssd]
config_file_version = 2
domains = default
[domain/default]
id_provider = ldap
ldap_uri = _srv_
dns_discovery_domain = myrealmAnd here is a configuration snippet for the same domain but now the authentication is done over Kerberos. The KDC server is auto−discovered through DNS lookups. /etc/sssd/sssd.conf. [sssd]
config_file_version = 2
domains = default
[domain/default]
id_provider = ldap
auth_provider = krb5
ldap_uri = _srv_
krb5_server = _srv_
krb5_realm = MYREALM
dns_discovery_domain = myrealmIf you want to configure SSSD for an IPA or Active Directory domain, use the realm tool. This will perform an initial setup which involves creating a Kerberos keytab and generating basic SSSD configuration. You can then tune it up by modifying /etc/sssd/sssd.conf.
WINBINDIf you want to configure the machine to use Winbind, use realm. This will perform an initial setup which involves creating a Kerberos keytab and running adcli to join the domain. It also makes changes to smb.conf. You can then tune it up by modifying /etc/samba/smb.conf.
NISThere are several places that needs to be configured in order to make NIS authentication work. First, you need to set NIS domain and optionally also NIS server in /etc/yp.conf. /etc/yp.conf. domain mydomain broadcast
# or
# domain mydomain server myserverNIS domain must be also set in system network configuration. /etc/sysconfig/network. NISDOMAIN=mydomainNow, you can set the domain name with command line so there is no need to reboot your system. Additionaly, it may be necessary to enable NIS in selinux. $ domainname mydomain
$ setsebool −P allow_ypbind 1
PASSWORD QUALITYAuthselect enables pam_pwquality module to enforce password quality restrictions. This module is enabled only for local users. Remote users should use the password policy that is enforced by the respective remote server. The pam_pwquality module can be configured in /etc/security/pwquality.conf. See pam_pwquality(8) to see its configuration options and defaults.
STARTING SERVICESDepending on your configuration, you need to start required services manually with systemd. • SSSD systemctl enable sssd.service ; systemctl start sssd.service• Winbind systemctl enable winbind.service ; systemctl start winbind.service• NIS systemctl enable rpcbind.service ; systemctl start rpcbind.service
systemctl enable ypbind.service ; systemctl start ypbind.service• If mkhomedir feature is enabled systemctl enable oddjobd.service ; systemctl start oddjobd.service
AUTHCONFIG TOOLSAuthconfig shipped a tool called cacertdir_rehash. If you depend on this tool, please switch to native openssl command: openssl rehash <directory> that serves the same purpose.
SEE ALSOauthselect(8), authselect−profiles(5), realm(8), ipa−client−install(1), sssd.conf(5), smb.conf(5), ldap.conf(5), krb5.conf(5) 0
Johanes Gumabo
Data Size : 25,774 byte
man-authselect-migration.7Build : 2024-12-05, 20:55 :
Visitor Screen : x
Visitor Counter ( page / site ) : 3 / 184,198
Visitor ID : :
Visitor IP : 18.218.219.11 :
Visitor Provider : AMAZON-02 :
Provider Position ( lat x lon ) : 39.962500 x -83.006100 : x
Provider Accuracy Radius ( km ) : 10 :
Provider City : Columbus :
Provider Province : Ohio , : ,
Provider Country : United States :
Provider Continent : North America :
Visitor Recorder : Version :
Visitor Recorder : Library :
Online Linux Manual Page : Version : Online Linux Manual Page - Fedora.40 - march=x86-64 - mtune=generic - 24.12.05
Online Linux Manual Page : Library : lib_c - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Online Linux Manual Page : Library : lib_m - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Data Base : Version : Online Linux Manual Page Database - 24.04.13 - march=x86-64 - mtune=generic - fedora-38
Data Base : Library : lib_c - 23.02.07 - march=x86-64 - mtune=generic - fedora.36
Very long time ago, I have the best tutor, Wenzel Svojanovsky . If someone knows the email address of Wenzel Svojanovsky , please send an email to johanes_gumabo@yahoo.co.id .
If error, please print screen and send to johanes_gumabo@yahoo.co.id
Under development. Support me via PayPal.
ERROR : Need New Coding : (parse_manual_page_|249|authselect-migration.7|53|it|.it 1 an-trap
) (parse_manual_page_|249|authselect-migration.7|111|it|.it 1 an-trap
) (rof_TS|42|authselect-migration.7|126|10|lt lt
) (parse_manual_page_|249|authselect-migration.7|204|it|.it 1 an-trap
)