SSSD PKINIT Configuration for GDM
Paquet d’installation silencieuse pour SSSD PKINIT Configuration for GDM
0-16
System
Security
Authentication
System
Security
Authentication
Les paquets PREPROD sont des paquets construits via LUTI.
Ils restent généralement 5 jours en PREPROD, après quoi un deuxième scan VirusTotal est effectué pour vérifier que le status n'a pas changé.
Si le paquet réussit ce dernier contrôle, il est promu en PROD et publié sur le store.
- package: tis-sssd-pkinit
- name: SSSD PKINIT Configuration for GDM
- version: 0-16
- categories: system,security,authentication
- maintainer: Simon Fonteneau Tranquilit
- target_os: ubuntu,debian(>9)
- impacted_process: gdm3,sssd
- architecture: all
- signature_date:
- size: 9.94 Ko
- homepage : https://sssd.io/
package : tis-sssd-pkinit
version : 0-16
architecture : all
section : base
priority : optional
name : SSSD PKINIT Configuration for GDM
categories : system,security,authentication
maintainer : Simon Fonteneau Tranquilit
description : Configure SSSD, Kerberos PKINIT and GDM smartcard authentication for Active Directory domain login on Linux.
depends :
conflicts :
maturity : PREPROD
locale :
target_os : ubuntu,debian(>9)
min_wapt_version : 2.5
sources :
installed_size :
impacted_process : gdm3,sssd
description_fr : Configure SSSD, Kerberos PKINIT et l'authentification par carte a puce dans GDM pour la connexion au domaine Active Directory sous Linux.
description_pl : Konfiguruje SSSD, Kerberos PKINIT oraz uwierzytelnianie kartą inteligentną w GDM dla logowania do domeny Active Directory w systemie Linux.
description_de : Konfiguriert SSSD, Kerberos PKINIT und die Smartcard-Authentifizierung in GDM fur die Anmeldung an einer Active-Directory-Domane unter Linux.
description_es : Configura SSSD, Kerberos PKINIT y la autenticacion con tarjeta inteligente en GDM para el inicio de sesion en un dominio Active Directory en Linux.
description_pt : Configura o SSSD, o Kerberos PKINIT e a autenticacao por cartao inteligente no GDM para inicio de sessao em dominio Active Directory no Linux.
description_it : Configura SSSD, Kerberos PKINIT e l'autenticazione tramite smart card in GDM per l'accesso a un dominio Active Directory su Linux.
description_nl : Configureert SSSD, Kerberos PKINIT en smartcard-authenticatie in GDM voor aanmelding bij een Active Directory-domein op Linux.
description_ru : Настраивает SSSD, Kerberos PKINIT и аутентификацию по смарт-карте в GDM для входа в домен Active Directory под Linux.
audit_schedule :
editor :
keywords : sssd,pkinit,kerberos,gdm3,smartcard,active-directory,linux,pam
licence :
homepage : https://sssd.io/
package_uuid : 2ad60dc7-d854-40b5-8205-610caeec7a69
valid_from :
valid_until :
forced_install_on :
changelog :
min_os_version :
max_os_version :
icon_sha256sum : 9cef90c7c46e5bd9f0979817dba5ef6779cfb05b06503cca923a3b63a7c818a7
signer : test
signer_fingerprint: b82fc8ef4a4475c0f69ac168176c2bfc58f572eb716c4eadd65e4785c155dd8e
signature_date : 2026-03-17T11:56:48.000000
signed_attributes : package,version,architecture,section,priority,name,categories,maintainer,description,depends,conflicts,maturity,locale,target_os,min_wapt_version,sources,installed_size,impacted_process,description_fr,description_pl,description_de,description_es,description_pt,description_it,description_nl,description_ru,audit_schedule,editor,keywords,licence,homepage,package_uuid,valid_from,valid_until,forced_install_on,changelog,min_os_version,max_os_version,icon_sha256sum,signer,signer_fingerprint,signature_date,signed_attributes
signature : OyVcVy7i3m3m5Uv3FdOMLVR/1tkD9WBsbB/EPC8WD2GEfqR6h9OPM+kZGCZS4GVvOIY+3HWTdefNoEm7NWhrT2m1YcNRYl4M8wJ7zzAGQIWSEBHoQEtmuRihA4q8OGdN38DHrP3ElWxsWaKwsqE9vAcBDKp8HXBtWbM9u0pygPgDDnUF98lCg66DNznWwmHZ2fQLM7eaY+5PGVA0kEM+TMV3yBXLGEAgAWfFRNNyffCjTYu2l30mbN3/UciO1BkrfDiUolplyhnOVjbMwHsBXYrED19jvp6UBx+838mIkDDcOrfKwRKiF8+wQZG+4REQZf50ZEnyc8fMz9W/AwzO9g==from setuphelpers import *
from waptutils import get_hostname_and_domain
#For better security, this should be replaced with the real AD certificates.
pkinit_anchors = "DIR:/etc/ssl/certs/"
pam_cert_db_path = "/etc/ssl/certs/ca-certificates.crt"
def install():
install_apt('gdm3 gnome-shell sssd libpam-sss libnss-sss sssd-tools pcscd opensc pamtester krb5-pkinit')
run('apt-get purge -y lightdm lightdm-gtk-greeter || true')
run('echo "/usr/sbin/gdm3" > /etc/X11/default-display-manager')
run('DEBIAN_FRONTEND=noninteractive apt-get install --reinstall -y gdm3')
run('DEBIAN_FRONTEND=noninteractive dpkg-reconfigure gdm3')
run('systemctl unmask gdm3 || true')
run('systemctl disable lightdm || true')
run('ln -sf /lib/systemd/system/gdm3.service /etc/systemd/system/display-manager.service')
run('systemctl daemon-reload')
run('systemctl enable gdm3')
run('systemctl set-default graphical.target')
(hostname_from_keytab,domain_from_keytab) = get_hostname_and_domain()
domain_lower = domain_from_keytab.lower()
domain_upper = domain_lower.upper()
data_sssd = f"""[sssd]
domains = {domain_lower}
config_file_version = 2
services = nss, pam
[pam]
pam_cert_auth = True
pam_verbosity = 10
pam_p11_allowed_services = +gdm-smartcard, +gdm-password, +login, +sudo, +su
pam_cert_db_path = {pam_cert_db_path}
debug_level=9
[domain/{domain_lower}]
ad_domain = {domain_lower}
krb5_realm = {domain_upper}
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
override_shell = /bin/bash
override_homedir = /home/homes/%u
ad_gpo_access_control = disabled
ldap_id_mapping = True
ldap_idmap_autorid_compat = true
ldap_idmap_range_min = 10000
enumerate = true
debug_level=9
ldap_user_certificate = userCertificate
ldap_user_extra_attrs = userCertificate:userCertificate
"""
with open('/etc/sssd/sssd.conf','w') as f:
f.write(data_sssd)
data_krb5conf = f"""[libdefaults]
default_realm = {domain_upper}
dns_lookup_kdc = true
dns_lookup_realm = true
rdns = false
pkinit_anchors = {pkinit_anchors}
pkinit_allow_upn = true
pkinit_identities = PKCS11:/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so:certid=01
pkinit_kdc_hostname = {domain_lower}"""
with open('/etc/krb5.conf','w') as f:
f.write(data_krb5conf)
data_gdm_password = f"""#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_succeed_if.so user != root quiet_success
auth sufficient pam_sss.so try_cert_auth
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-session
session optional pam_gnome_keyring.so auto_start
@include common-password
"""
with open('/etc/pam.d/gdm-password','w') as f:
f.write(data_gdm_password)
01ca7fe94636e5a08fcb73849d3b5df25d51e2c82f4dd1a08f01798b25899819 : WAPT/certificate.crt
b9784271529c6cb97ca94726b81e92d449182141f6516ef6ad5ea790b8742e10 : WAPT/control
9cef90c7c46e5bd9f0979817dba5ef6779cfb05b06503cca923a3b63a7c818a7 : WAPT/icon.png
9ca28bcf828d6cdb009b0e577f8cf66f3249c28998f003059f49b35c7b8f412e : luti.json
314c940d8e3a9fac7a4ed1ef704a17f40c7dd78eb25faf397c98935f563ceebf : setup.py