Hi,
On Tue, May 21, 2024 at 6:41 AM Techie <techchavez(a)gmail.com> wrote:
Hello, this did the trick, thank you.
I am grateful for your help and so if desired I can contribute to the doc.
Please let me know how to proceed.
If you are familiar with github / git / PR workflow, then the best would be
to open a PR against
Thank you again
On Fri, May 17, 2024, 11:40 AM Techie <techchavez(a)gmail.com> wrote:
> This is very encouraging, thank you so much. I will try this and report
> back.
>
> Thank you
>
> On Fri, May 17, 2024, 1:10 AM Alexey Tikhonov <atikhono(a)redhat.com>
> wrote:
>
>> Hi,
>>
>> On Fri, May 17, 2024 at 9:33 AM Techie <techchavez(a)gmail.com> wrote:
>>
>>> Hello again, my offline authentication works, however, if I reboot
>>> while offline it no longer works and the cached password is removed from
>>> the cache db. I mean that ldbsearch no longer reveals a cached password for
>>> my user.
>>>
>>
>> Try to `touch /etc/passwd` without reboot - I guess it will have the
>> same effect.
>>
>> I can't find ticket right now, but there was a bug reported that 'files
>> provider' loses cached password hash while rebuilding cache (and it
>> rebuilds entire cache at every startup and every /etc/passwd&group file
>> event)
>>
>> This bug won't be fixed. Files provider is deprecated and planned for
>> eventual removal.
>>
>> 'proxy provider' with 'lib = files' is a substitute for your use
case.
>>
>>
https://sssd.io/docs/files-provider-deprecation.html doesn't describe
>> your case directly, but hopefully still can help.
>>
>> If you could try this and then contribute a new section to this doc - it
>> would be great.
>>
>>
>>
>>
>>>
>>> I use the passwd file as the ID provider and krb5 as the auth provider.
>>>
>>> [pam]
>>>
>>> offline_credential_expiration = 0
>>>
>>> [
domain/EXAMPLE.COM]
>>> cache_credentials=true
>>> id_provider=files
>>> auth_provider=krb5
>>>
krb5_server=srva.example.com
>>> #krb5_kpasswd=srva.example.com
>>>
krb5_realm=EXAMPLE.COM <
http://example.com/>
>>>
dns_discovery_domain=EXAMPLE.COM <
http://example.com/>
>>>
>>> Not sure why the cached entry for my user is removed from
>>> /var/lib/sss/db/cache_EXAMPLE.COM.ldb
>>>
>>> I've been fighting with this for a while so any help would be
>>> appreciated.
>>>
>>> Thank you
>>>
>>>
>>> On Sun, Sep 17, 2023, 12:01 PM Techie <techchavez(a)gmail.com> wrote:
>>>
>>>> Hi
>>>>
>>>> Trying to use cached creds with local users in the passwd file
>>>> authenticating via kerberos.
>>>> I have id_provider set to files and auth_provider set to krb5(AD DC).
>>>> Online authentication works fine however when I disconnect the network
>>>> authentication fails. The computer is not joined to a domain, I am only
>>>> leveraging the domain/realm for authentication purposes
>>>>
>>>> Relevant entries
>>>> [pam]
>>>> offline_credentials_expiration = 7
>>>>
>>>> [domain]
>>>> cache_credentials=true
>>>> account_cache_expiration=8
>>>> id_provider=files
>>>> auth_provider=krb5
>>>>
krb5_server=srva.example.com
>>>>
krb5_kpasswd=srva.example.com
>>>>
krb5_realm=EXAMPLE.COM
>>>>
dns_discovery_domain=EXAMPLE.COM
>>>> krb5_store_password_if_offline=true
>>>>
>>>> Is this a supported configuration for offline logins with cached
>>>> credentials?
>>>>
>>>> Thanks
>>>>
>>> --
>>> _______________________________________________
>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>>> Do not reply to spam, report it:
>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>
>> --
>> _______________________________________________
>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>> Do not reply to spam, report it:
>>
https://pagure.io/fedora-infrastructure/new_issue
>>
> --
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue