So, I’ve been spending a good portion of the last six months designing a software distribution system, and looking for a good way to manage user access in an AD environment, where LDAP is fractured, at best. A few months ago, we were approved to procure Centrify as a provider of AD integration, so we could get rid (entirely) of winbind, \u00a0and samba related services.<\/p>\n
Finally, we are approaching handover, and time to integrate Spacewalk is here.<\/p>\n
Spacewalk does NOT integrate directly to Active Directory. Never has, probably never will. It will<\/em>, however, authenticate to PAM, and PAM does have methods to authenticate to AD- mostly with winbind. Centrify is supposed to be the bridge between them, and much more reliable than using winbind, but as we discovered (quickly), Spacewalk’s documentation does not cover connecting to AD or winbind or anything similar. A quick google finds a few tutorials on how to connect to winbind, but none on Centrify.<\/p>\n Long story short:<\/strong> we did get AD working: and the trick was using system-auth instead of satellite-rhn for the rhn.conf file. Apparently Centrify adds some magic deep in the system-auth file ( \/etc\/pam.d\/system-auth ) that allows PAM to connect.<\/p>\n Long story long:<\/strong><\/p>\n The tutorials we found on “the Google” were really trying their best to be helpful, but never quite got there.<\/p>\n The default for Spacewalk is to set the contents of \/etc\/rhn\/rhn.conf \u00a0to<\/p>\n The default file is that rhn-satellite – \/etc\/pam.d\/rhn-satellite . If Spacewalk were authenticating to LDAP or NIS or whatever, that file would be correct. Granted, it’s just a short PAM tree, five or so lines of sufficient, requisite, etc.<\/p>\n Further investigation reveals that Centrify needs to add a few lines, and change the others:<\/p>\n Original rhn-satellite :<\/p>\n The suggested fix found on a few sites:<\/span><\/span><\/p>\n On the surface, this looks like it’s correct, but we could never get it to work. <\/span><\/span><\/p>\n However, further searching had located some people who had made it work by just pointing line in rhn.conf to “password-auth” instead of “rhn-satellite”, since Centrify adds several extra lines to integrate with the specific AD domains there (which I won’t share for obvious security reasons). However, newer versions don’t have a “password-auth” file, and use “system-auth” instead. Making \/etc\/rhn\/rhn.conf read:<\/span><\/span><\/p>\n …finally did the trick. You’ll need to look at those files your self: password-auth and or system-auth to determine where the settings you need are: you can copy them to rhn-satellite, or simply point the pam_auth_service to it directly. The latter is what I did. <\/span><\/span><\/p>\n Hopefully this will help a few people out there!<\/span><\/span><\/p>\n <\/p>\n Bootnote: this should work both with Spacewalk and Satellite equally.<\/span><\/span><\/p>\n","protected":false},"excerpt":{"rendered":" So, I’ve been spending a good portion of the last six months designing a software distribution system, and looking for a good way to manage user access in an AD environment, where LDAP is fractured, at best. A few months ago, we were approved to procure Centrify as a provider of AD integration, so we … Continue reading Spacewalk, PAM, and Centrify…oh, my!<\/span> pam_auth_service = rhn-satellite<\/pre>\n
auth required pam_env.so\r\nauth sufficient pam_sss.so<\/span>\r\nauth required pam_deny.so<\/span>\r\naccount sufficient pam_sss.so<\/span>\r\naccount required pam_deny.so<\/span><\/pre>\nauth required pam_centrify.so\r\nauth requisite pam_centrify.so deny<\/span>\r\naccount sufficient pam_centrify.so\r\naccount requisite pam_centrify.so deny\r\nsession required pam_centrify.so homedir\r\npassword sufficient pam_centrify.so try_first_pass\r\npassword requisite pam_centrify.so deny<\/pre>\npam_auth_service = system-auth<\/span><\/span><\/pre>\n