AUTHSELECT−MIGRATIO - Online Linux Manual PageSection : 7
Updated : 2021−06−05
Source :  ​
Note :  ​

NAMEauthselect-migration − A guide how to migrate from authconfig to authselect​.

DESCRIPTIONThis manual page explains the main differences between authconfig, the previous tool to configure system authentication and identity sources, and authselect which replaces it​. It also explains what actions need to be done in order to migrate from authconfig to authselect​.

MAIN DIFFERENCESAuthselect takes a completely different approach to system configuration than the previous tool authconfig​. Authconfig tries its best to keep userss manual changes to the files it generates​. It generates not only PAM configuration files and nsswitch​.conf (to setup authentication modules and identity sources) but it also generates simple configuration files for several services such as LDAP and Kerberos​. Authselect does no such things​. It does not generate any configuration files beside PAM and nsswitch​.conf and it strictly prohibits any manual changes to generated configuration​. It provides a set of files called profiles​. Each profile describes how the resulting configuration should look like and it can be slightly modified by enabling or disabling certain optional features​. If a need arises for a different profile than what authselect ships, the administrator has an option to create a whole new profile and use it with authselect​. See authselect−profiles(5) to learn more about profiles​. This may seem like a big disadvantage but the truth is the opposite​. Authconfig is a very old tool and the applications providing required services have changed rapidly over the years​. Typically, there is no longer a need to have multiple authentication modules in PAM and nsswitch​.conf, because the vast majority of use−cases is covered by SSSD​. Therefore there is no need to add or remove them specifically​. There are also better tools to generate configuration for system daemons that can help you automate the process of joining to a remote domain such as realm​. In addition, the shipped profiles give us comprehensive and deterministic system configuration that can be fully tested and is much less error prone​. It is also much easier to distribute such configuration across many systems​. Probably the most controversial change is that authselect only ships profiles for sssd and winbind providers​. Those two providers cover all modern use cases from providing local users and legacy LDAP domain to complex configurations with IPA or Active Directory servers​. The profiles no longer contain support for nss−pam−ldapd and users are encouraged to switch to sssd​.

JOINING REMOTE DOMAINSYou can use either ipa−client−install or realm to join an IPA domain and realm to join an Active Directory domain​. These tools will make sure that the correct authselect profile is selected and all daemons and services are properly configured​.

CONVERTING YOUR SCRIPTSIf you use ipa−client−install or realm to join a domain, you can just remove any authconfig call in your scripts​. If this is not an option, you need to replace each authconfig call with its equivalent authselect call to select a correct profile with desired features​. Then you also need to write configuration file for required services​. .it 1 an-trap
Table ​1. ​Relation of authconfig options to authselect profiles Authconfig options Authselect profile −−enableldap −−enableldapauth sssd −−enablesssd −−enablesssdauth sssd −−enablekrb5 sssd −−enablewinbind −−enablewinbindauth winbind −−enablenis nis .it 1 an-trap
Table ​2. ​Relation of authconfig options to authselect profile features lt lt lt lt. T{ Authconfig options T}:T{ Authselect profile feature T} T{ −−enablesmartcard T}:T{ with−smartcard T} T{ −−enablefingerprint T}:T{ with−fingerprint T} T{ −−enableecryptfs T}:T{ with−ecryptfs T} T{ −−enablemkhomedir T}:T{ with−mkhomedir T} T{ −−enablefaillock T}:T{ with−faillock T} T{ −−enablepamaccess T}:T{ with−pamaccess T} T{ −−enablewinbindkrb5 T}:T{ with−krb5 T} T{ −−enableshadow T}:T{ none T} T{ −−passalgo T}:T{ none T} .it 1 an-trap
Note ¶.br Authconfig options −−enableshadow and −−passalgo=sha512 were often used to make sure that passwords are stored in /etc/shadow using sha512 algorithm​. The authselect profiles now use the yescrypt hashing method and it cannot be changed through an option (only by creating a custom profile)​. You can just omit these options​.
Examples. authconfig −−enableldap −−enableldapauth −−enablefaillock −−updateall authselect select sssd with−faillock authconfig −−enablesssd −−enablesssdauth −−enablesmartcard −−smartcardmodule=sssd −−updateall authselect select sssd with−smartcard authconfig −−enableecryptfs −−enablepamaccess −−updateall authselect select sssd with−ecryptfs with−pamaccess authconfig −−enablewinbind −−enablewinbindauth −−winbindjoin=Administrator −−updateall realm join −U Administrator −−client−software=winbind WINBINDDOMAIN

CONFIGURATION FILESThis section contains snippets for minimal configuration of various services​.

LDAPEven if LDAP is not directly used through pam_ldap and nss_ldap, it is still useful to configure ldap​.conf to configure openldap−libs and indirectly, e​.g​. LDAP tools such as ldapsearch​. /etc/openldap/ldap.conf. # Set the default base dn BASE dc=example,dc=com # Set the default LDAP server URI ldap://ldap​.example​.com ldap://ldap−master​.example​.com:666

KERBEROSIf you use Kerberos, the default Kerberos realm should be configured in order for krb5−libs and therefore tools such as kinit to work out of the box​. /etc/krb5.conf. [libdefaults] default_realm = MYREALM [realms] MYREALM = { kdc = kdc​.myrealm​.org } [domain_realm] myrealm​.org = MYREALM ​.myrealm​.org = MYREALM

SSSDAuthselect encourages users to use SSSD wherever possible​. There are many configuration options, see sssd​.conf(5)​. This is a minimal configuration that creates one LDAP domain called default​. The LDAP server is auto−discovered through DNS lookups​. /etc/sssd/sssd.conf. [sssd] config_file_version = 2 domains = default [domain/default] id_provider = ldap ldap_uri = _srv_ dns_discovery_domain = myrealmAnd here is a configuration snippet for the same domain but now the authentication is done over Kerberos​. The KDC server is auto−discovered through DNS lookups​. /etc/sssd/sssd.conf. [sssd] config_file_version = 2 domains = default [domain/default] id_provider = ldap auth_provider = krb5 ldap_uri = _srv_ krb5_server = _srv_ krb5_realm = MYREALM dns_discovery_domain = myrealmIf you want to configure SSSD for an IPA or Active Directory domain, use the realm tool​. This will perform an initial setup which involves creating a Kerberos keytab and generating basic SSSD configuration​. You can then tune it up by modifying /etc/sssd/sssd​.conf​.

WINBINDIf you want to configure the machine to use Winbind, use realm​. This will perform an initial setup which involves creating a Kerberos keytab and running adcli to join the domain​. It also makes changes to smb​.conf​. You can then tune it up by modifying /etc/samba/smb​.conf​.

NISThere are several places that needs to be configured in order to make NIS authentication work​. First, you need to set NIS domain and optionally also NIS server in /etc/yp​.conf​. /etc/yp.conf. domain mydomain broadcast # or # domain mydomain server myserverNIS domain must be also set in system network configuration​. /etc/sysconfig/network. NISDOMAIN=mydomainNow, you can set the domain name with command line so there is no need to reboot your system​. Additionaly, it may be necessary to enable NIS in selinux​. $ domainname mydomain $ setsebool −P allow_ypbind 1

PASSWORD QUALITYAuthselect enables pam_pwquality module to enforce password quality restrictions​. This module is enabled only for local users​. Remote users should use the password policy that is enforced by the respective remote server​. The pam_pwquality module can be configured in /etc/security/pwquality​.conf​. See pam_pwquality(8) to see its configuration options and defaults​.

STARTING SERVICESDepending on your configuration, you need to start required services manually with systemd​. •  SSSD systemctl enable sssd​.service ; systemctl start sssd​.service•  Winbind systemctl enable winbind​.service ; systemctl start winbind​.service•  NIS systemctl enable rpcbind​.service ; systemctl start rpcbind​.service systemctl enable ypbind​.service ; systemctl start ypbind​.service•  If mkhomedir feature is enabled systemctl enable oddjobd​.service ; systemctl start oddjobd​.service

AUTHCONFIG TOOLSAuthconfig shipped a tool called cacertdir_rehash​. If you depend on this tool, please switch to native openssl command: openssl rehash <directory> that serves the same purpose​.

SEE ALSOauthselect(8), authselect−profiles(5), realm(8), ipa−client−install(1), sssd​.conf(5), smb​.conf(5), ldap​.conf(5), krb5​.conf(5)
0
Johanes Gumabo
Data Size   :   25,774 byte
man-authselect-migration.7Build   :   2024-12-05, 20:55   :  
Visitor Screen   :   x
Visitor Counter ( page / site )   :   3 / 184,198
Visitor ID   :     :  
Visitor IP   :   18.218.219.11   :  
Visitor Provider   :   AMAZON-02   :  
Provider Position ( lat x lon )   :   39.962500 x -83.006100   :   x
Provider Accuracy Radius ( km )   :   10   :  
Provider City   :   Columbus   :  
Provider Province   :   Ohio ,   :   ,
Provider Country   :   United States   :  
Provider Continent   :   North America   :  
Visitor Recorder   :   Version   :  
Visitor Recorder   :   Library   :  
Online Linux Manual Page   :   Version   :   Online Linux Manual Page - Fedora.40 - march=x86-64 - mtune=generic - 24.12.05
Online Linux Manual Page   :   Library   :   lib_c - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Online Linux Manual Page   :   Library   :   lib_m - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Data Base   :   Version   :   Online Linux Manual Page Database - 24.04.13 - march=x86-64 - mtune=generic - fedora-38
Data Base   :   Library   :   lib_c - 23.02.07 - march=x86-64 - mtune=generic - fedora.36

Very long time ago, I have the best tutor, Wenzel Svojanovsky . If someone knows the email address of Wenzel Svojanovsky , please send an email to johanes_gumabo@yahoo.co.id .
If error, please print screen and send to johanes_gumabo@yahoo.co.id
Under development. Support me via PayPal.

ERROR : Need New Coding :         (parse_manual_page_|249|authselect-migration.7|53|it|.it 1 an-trap )         (parse_manual_page_|249|authselect-migration.7|111|it|.it 1 an-trap )         (rof_TS|42|authselect-migration.7|126|10|lt lt )         (parse_manual_page_|249|authselect-migration.7|204|it|.it 1 an-trap )