UbuntuHelp:PamCcredsHowto
来自Ubuntu中文
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
Instructions to install & configure libpam-ccreds on Ubuntu 5.10
目录
Preface
Cached Credentials?
Cached credentials are very useful for mobile computers (e.g. notebooks) on which user authentication is done via LDAP server. With cached credentials you are still able to authenticate with the accustomed login credentials when the LDAP server is not reachable.
Warning!
The packages needed for this feature are linked against libdb. To my experience all packages need to be linked against the same libdb to make everything work properly. This is not the case with ubuntu 5.10 were the installed packages would be the following:
| libnss-db | 2.2-6.3ubuntu1 | libdb3 |
| libpam-ccreds | 1-3 | libdb4.3 |
| nss-updatedb | 4-1 | libdb4.3 |
Instead of libnss-db (2.2-6.3) i installed libnss-db (2.2.3) from the current debian testing (etch).
| libnss-db | 2.2.3pre1-1 | libdb4.3 |
nss-updatedb
Caches name service directories (passwd and group) locally in /var/lib/misc/passwd.db and /var/lib/misc/group.db. To install the package open a terminal and type:
sudo apt-get install nss-updatedb
When a connection to the ldap server is available run
sudo nss_updatedb ldap
once to create/update the passwd and group cache. If this is the first time you run this command, check if /var/lib/passwd.db and /var/lib/misc/group.db have been created. You should add a cron job that does this task for you once in a while.
libnss-db
NSS module for using Berkeley Databases as a naming service.
This is needed to enable NSS to read the cached name service directories (passwd and group).
As mentioned above the libnss-db package from breezy/main is linked against libdb3 and will not work with nss-updatedb from breezy/universe. To circumvent this problem we need a package that is linked against libdb4.3 and auses no further dependencies. I recommend the libnss-db package from Debian testing (etch) which can be downloaded from [1].
To install the package open a terminal and type:
sudo dpkg -i libnss-db_2.2.3pre1-1_i386
(the package in Gutsy has the right version so you just can apt-get install libnss-db it) Edit /etc/nsswitch.conf:
passwd: files ldap [NOTFOUND=return] db group: files ldap [NOTFOUND=return] db
[NOTFOUND=return] is just added for performance reasons. If PAM finds the user in the ldap directory, searching stops. You can test if passwd and group are cached properly by disconnecting the network connection (e.g. ifdown eth0) and typing:
sudo getent passwd
This should return the local user plus the users from the ldap server cache in the passwd.db.
libpam-ccreds
Pam module to cache authentication credentials (i.e. passwords) locally in /var/cache/.shadow.db . To install the package open a terminal and type:
sudo apt-get install libpam-ccreds
auth [success=done default=ignore] pam_unix.so nullok_secure auth [authinfo_unavail=ignore success=done default=ignore] pam_ldap.so use_first_pass debug auth [default=done] pam_ccreds.so action=validate use_first_pass
Editing the PAM File
You need to edit /etc/pam.d/common-auth as followes:
auth [success=done default=ignore] pam_unix.so nullok_secure try_first_pass auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so use_first_pass auth [default=done] pam_ccreds.so action=validate use_first_pass auth [default=done] pam_ccreds.so action=store auth [default=bad] pam_ccreds.so action=update
If you get an error after "You have been logged on using cached credentials" saying "Authentication service cannot retrieve authentication info" you might need to make some more changes to your common-account file. This seems to only effect feisty. You need to add the following line to /etc/pam.d/common-account:
account required pam_permit.so
If you are using Gutsy you should have these lines in /etc/pam.d/common-account instead
account [user_unknown=ignore authinfo_unavail=ignore default=done] pam_unix.so account [user_unknown=ignore authinfo_unavail=ignore default=done] pam_ldap.so account required pam_permit.so
After the file is adjusted properly you must login while connected to the LDAP server once to make libpam-ccreds store your password. After that you will be able to login while not connected to the ldap server as usual.
Further Information
/usr/share/doc/nss-updatedb/*
/usr/share/doc/libpam-ccreds/*
[2]
[3]
[4]
