====== Ввод в домен AD машины astralinux ======
sudo apt install resolvconf -y
sudo tee -a /etc/network/interfaces << EOF
auto eth0
iface eth0 inet static
address x.x.x.x/y
gateway x.x.x.x
dns-namserves x.x.x.x
dns-domain {{ defaults.domainadmin }}
EOF
sudo systemctl restart networking
sudo tee /etc/security/limits.d/90-fsize.conf 2&>/dev/null << EOF
* hard fsize unlimited
* soft fsize unlimited
EOF
sudo apt install astra-ad-sssd-client -y
sudo astra-ad-sssd-client -y -d {{ server.domain }} -u {{ defaults.domainadmin }}
====== Rutoken 2fa ======
sudo apt install libccid pcscd libpcsclite1 pcsc-tools opensc libengine-pkcs11-openssl1.1 -y
sudo apt install libnss3-tools krb5-pkinit libpam-krb5 -y
sudo cp rutoken_pub.key /etc/digsig/keys/ -v
sudo update-initramfs -u -k all
sudo reboot
sudo apt install -f ./librtpkcs11ecp_2.17.1.0-1_amd64.deb
sudo apt install -f ./ifd-rutokens_1.0.4_amd64.deb
sudo mkdir /etc/pki/nssdb -p
sudo chmod 777 /etc/pki/nssdb
sudo certutil -N -d /etc/pki/nssdb --empty-password
sudo certutil -d /etc/pki/nssdb -A -n 'CA-ROOT-CERT' -t CT,CT,CT -a -i cacert.pem
sudo modutil -dbdir /etc/pki/nssdb -add "Rutoken PKCS11" -libfile librtpkcs11ecp.so
#проверка:
sudo certutil -L -d /etc/pki/nssdb -h all
sudo mkdir /etc/krb5/
sudo cp cacert.pem /etc/krb5/ -v
[libdefaults]
...
pkinit_anchors = FILE:/etc/krb5/cacert.pem
pkinit_kdc_hostname = ipa.virt.int
pkinit_eku_checking = kpServerAuth
pkinit_identities = PKCS11:librtpkcs11ecp.so
[pam]
pam_cert_auth = True
auth [success=6 default=ignore] pam_krb5.so minimum_uid=2500 try_pkinit
Auth-Initial:
[success=end default=ignore] pam_krb5.so minimum_uid=2500 try_pkinit