SSSD PKINIT Configuration for GDM
Silent install package for SSSD PKINIT Configuration for GDM
0-16
System
Security
Authentication
System
Security
Authentication
Preprod packages are packages built on LUTI.
They remain in PREPROD usually for 5 days, after which a second VirusTotal scan is performed to verify that the status has not changed.
If the package passes this last check, it is promoted to PROD and published on the store.
- package: tis-sssd-pkinit
- name: SSSD PKINIT Configuration for GDM
- version: 0-16
- categories: system,security,authentication
- maintainer: Simon Fonteneau Tranquilit
- target_os: ubuntu,debian(>9)
- impacted_process: gdm3,sssd
- architecture: all
- signature_date:
- size: 9.94 Ko
- homepage : https://sssd.io/
package : tis-sssd-pkinit
version : 0-16
architecture : all
section : base
priority : optional
name : SSSD PKINIT Configuration for GDM
categories : system,security,authentication
maintainer : Simon Fonteneau Tranquilit
description : Configure SSSD, Kerberos PKINIT and GDM smartcard authentication for Active Directory domain login on Linux.
depends :
conflicts :
maturity : PREPROD
locale :
target_os : ubuntu,debian(>9)
min_wapt_version : 2.5
sources :
installed_size :
impacted_process : gdm3,sssd
description_fr : Configure SSSD, Kerberos PKINIT et l'authentification par carte a puce dans GDM pour la connexion au domaine Active Directory sous Linux.
description_pl : Konfiguruje SSSD, Kerberos PKINIT oraz uwierzytelnianie kartą inteligentną w GDM dla logowania do domeny Active Directory w systemie Linux.
description_de : Konfiguriert SSSD, Kerberos PKINIT und die Smartcard-Authentifizierung in GDM fur die Anmeldung an einer Active-Directory-Domane unter Linux.
description_es : Configura SSSD, Kerberos PKINIT y la autenticacion con tarjeta inteligente en GDM para el inicio de sesion en un dominio Active Directory en Linux.
description_pt : Configura o SSSD, o Kerberos PKINIT e a autenticacao por cartao inteligente no GDM para inicio de sessao em dominio Active Directory no Linux.
description_it : Configura SSSD, Kerberos PKINIT e l'autenticazione tramite smart card in GDM per l'accesso a un dominio Active Directory su Linux.
description_nl : Configureert SSSD, Kerberos PKINIT en smartcard-authenticatie in GDM voor aanmelding bij een Active Directory-domein op Linux.
description_ru : Настраивает SSSD, Kerberos PKINIT и аутентификацию по смарт-карте в GDM для входа в домен Active Directory под Linux.
audit_schedule :
editor :
keywords : sssd,pkinit,kerberos,gdm3,smartcard,active-directory,linux,pam
licence :
homepage : https://sssd.io/
package_uuid : 2ad60dc7-d854-40b5-8205-610caeec7a69
valid_from :
valid_until :
forced_install_on :
changelog :
min_os_version :
max_os_version :
icon_sha256sum : 9cef90c7c46e5bd9f0979817dba5ef6779cfb05b06503cca923a3b63a7c818a7
signer : test
signer_fingerprint: b82fc8ef4a4475c0f69ac168176c2bfc58f572eb716c4eadd65e4785c155dd8e
signature_date : 2026-03-17T11:56:48.000000
signed_attributes : package,version,architecture,section,priority,name,categories,maintainer,description,depends,conflicts,maturity,locale,target_os,min_wapt_version,sources,installed_size,impacted_process,description_fr,description_pl,description_de,description_es,description_pt,description_it,description_nl,description_ru,audit_schedule,editor,keywords,licence,homepage,package_uuid,valid_from,valid_until,forced_install_on,changelog,min_os_version,max_os_version,icon_sha256sum,signer,signer_fingerprint,signature_date,signed_attributes
signature : OyVcVy7i3m3m5Uv3FdOMLVR/1tkD9WBsbB/EPC8WD2GEfqR6h9OPM+kZGCZS4GVvOIY+3HWTdefNoEm7NWhrT2m1YcNRYl4M8wJ7zzAGQIWSEBHoQEtmuRihA4q8OGdN38DHrP3ElWxsWaKwsqE9vAcBDKp8HXBtWbM9u0pygPgDDnUF98lCg66DNznWwmHZ2fQLM7eaY+5PGVA0kEM+TMV3yBXLGEAgAWfFRNNyffCjTYu2l30mbN3/UciO1BkrfDiUolplyhnOVjbMwHsBXYrED19jvp6UBx+838mIkDDcOrfKwRKiF8+wQZG+4REQZf50ZEnyc8fMz9W/AwzO9g==from setuphelpers import *
from waptutils import get_hostname_and_domain
#For better security, this should be replaced with the real AD certificates.
pkinit_anchors = "DIR:/etc/ssl/certs/"
pam_cert_db_path = "/etc/ssl/certs/ca-certificates.crt"
def install():
install_apt('gdm3 gnome-shell sssd libpam-sss libnss-sss sssd-tools pcscd opensc pamtester krb5-pkinit')
run('apt-get purge -y lightdm lightdm-gtk-greeter || true')
run('echo "/usr/sbin/gdm3" > /etc/X11/default-display-manager')
run('DEBIAN_FRONTEND=noninteractive apt-get install --reinstall -y gdm3')
run('DEBIAN_FRONTEND=noninteractive dpkg-reconfigure gdm3')
run('systemctl unmask gdm3 || true')
run('systemctl disable lightdm || true')
run('ln -sf /lib/systemd/system/gdm3.service /etc/systemd/system/display-manager.service')
run('systemctl daemon-reload')
run('systemctl enable gdm3')
run('systemctl set-default graphical.target')
(hostname_from_keytab,domain_from_keytab) = get_hostname_and_domain()
domain_lower = domain_from_keytab.lower()
domain_upper = domain_lower.upper()
data_sssd = f"""[sssd]
domains = {domain_lower}
config_file_version = 2
services = nss, pam
[pam]
pam_cert_auth = True
pam_verbosity = 10
pam_p11_allowed_services = +gdm-smartcard, +gdm-password, +login, +sudo, +su
pam_cert_db_path = {pam_cert_db_path}
debug_level=9
[domain/{domain_lower}]
ad_domain = {domain_lower}
krb5_realm = {domain_upper}
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
override_shell = /bin/bash
override_homedir = /home/homes/%u
ad_gpo_access_control = disabled
ldap_id_mapping = True
ldap_idmap_autorid_compat = true
ldap_idmap_range_min = 10000
enumerate = true
debug_level=9
ldap_user_certificate = userCertificate
ldap_user_extra_attrs = userCertificate:userCertificate
"""
with open('/etc/sssd/sssd.conf','w') as f:
f.write(data_sssd)
data_krb5conf = f"""[libdefaults]
default_realm = {domain_upper}
dns_lookup_kdc = true
dns_lookup_realm = true
rdns = false
pkinit_anchors = {pkinit_anchors}
pkinit_allow_upn = true
pkinit_identities = PKCS11:/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so:certid=01
pkinit_kdc_hostname = {domain_lower}"""
with open('/etc/krb5.conf','w') as f:
f.write(data_krb5conf)
data_gdm_password = f"""#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_succeed_if.so user != root quiet_success
auth sufficient pam_sss.so try_cert_auth
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-session
session optional pam_gnome_keyring.so auto_start
@include common-password
"""
with open('/etc/pam.d/gdm-password','w') as f:
f.write(data_gdm_password)
01ca7fe94636e5a08fcb73849d3b5df25d51e2c82f4dd1a08f01798b25899819 : WAPT/certificate.crt
b9784271529c6cb97ca94726b81e92d449182141f6516ef6ad5ea790b8742e10 : WAPT/control
9cef90c7c46e5bd9f0979817dba5ef6779cfb05b06503cca923a3b63a7c818a7 : WAPT/icon.png
9ca28bcf828d6cdb009b0e577f8cf66f3249c28998f003059f49b35c7b8f412e : luti.json
314c940d8e3a9fac7a4ed1ef704a17f40c7dd78eb25faf397c98935f563ceebf : setup.py