[rsbac] nsswitch and pam configuration for UM

Amon Ott ao at rsbac.org
Thu Dec 13 08:41:32 CET 2018


Am 13.12.18 um 03:46 schrieb Palon Setin:
> I have no issue compiling and installing. I'm running the latest
> 4.19.8-rsbac.
> But I can't find any help with configuring /etc/nsswitch.conf and
> /etc/pam.d/*.
> The closest I found is 7 yrs old:
> https://www.rsbac.org/pipermail/rsbac/2011-January/002565.html
> The tips in the rsbac-admin package don't help either, they too appear
> to be old.
After you imported your existing groups and users into RSBAC UM with
rsbac_groupadd -O
rsbac_useradd -O
and set new passwords, which cannot be imported, with rsbac_passwd,
you can change the nsswitch lines

passwd:         compat
group:          compat
shadow:         compat

to

passwd:         rsbac
group:          rsbac
shadow:         rsbac

to let RSBAC translate between user names and uids. If you want to use
both, try

passwd:         rsbac compat
group:          rsbac compat
shadow:         rsbac compat


In /etc/pam.d/common-auth you can replace

auth    [success=1 default=ignore]      pam_unix.so nullok_secure

or similar with

auth    required        pam_rsbac.so

to use RSBAC for authentication. common-account, common-password and
common-session are similar. If you want to fallback to passwd/shadow, try

auth    sufficient      pam_rsbac.so
auth    [success=1 default=ignore]      pam_unix.so nullok_secure


Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22


More information about the rsbac mailing list