Hi Trying to use cached creds with local users in the passwd file authenticating via kerberos. I have id_provider set to files and auth_provider set to krb5(AD DC). Online authentication works fine however when I disconnect the network authentication fails. The computer is not joined to a domain, I am only leveraging the domain/realm for authentication purposes Relevant entries [pam] offline_credentials_expiration = 7 [domain] cache_credentials=true account_cache_expiration=8 id_provider=files auth_provider=krb5 krb5_server=srva.example.com krb5_kpasswd=srva.example.com krb5_realm=EXAMPLE.COM dns_discovery_domain=EXAMPLE.COM krb5_store_password_if_offline=true Is this a supported configuration for offline logins with cached credentials? Thanks

Hi, On Fri, May 17, 2024 at 9:33 AM Techie <techchavez(a)gmail.com&gt; wrote: > Hello again, my offline authentication works, however, if I reboot while > offline it no longer works and the cached password is removed from the > cache db. I mean that ldbsearch no longer reveals a cached password for my > user. > Try to `touch /etc/passwd` without reboot - I guess it will have the same effect. I can't find ticket right now, but there was a bug reported that 'files provider' loses cached password hash while rebuilding cache (and it rebuilds entire cache at every startup and every /etc/passwd&group file event) This bug won't be fixed. Files provider is deprecated and planned for eventual removal. 'proxy provider' with 'lib = files' is a substitute for your use case. https://sssd.io/docs/files-provider-deprecation.html doesn't describe your case directly, but hopefully still can help. If you could try this and then contribute a new section to this doc - it would be great. > > I use the passwd file as the ID provider and krb5 as the auth provider. > > [pam] > > offline_credential_expiration = 0 > > [domain/EXAMPLE.COM] > cache_credentials=true > id_provider=files > auth_provider=krb5 > krb5_server=srva.example.com > #krb5_kpasswd=srva.example.com > krb5_realm=EXAMPLE.COM <http://example.com/> > dns_discovery_domain=EXAMPLE.COM <http://example.com/> > > Not sure why the cached entry for my user is removed from > /var/lib/sss/db/cache_EXAMPLE.COM.ldb > > I've been fighting with this for a while so any help would be appreciated. > > Thank you > > > On Sun, Sep 17, 2023, 12:01 PM Techie <techchavez(a)gmail.com&gt; wrote: > >> Hi >> >> Trying to use cached creds with local users in the passwd file >> authenticating via kerberos. >> I have id_provider set to files and auth_provider set to krb5(AD DC). >> Online authentication works fine however when I disconnect the network >> authentication fails. The computer is not joined to a domain, I am only >> leveraging the domain/realm for authentication purposes >> >> Relevant entries >> [pam] >> offline_credentials_expiration = 7 >> >> [domain] >> cache_credentials=true >> account_cache_expiration=8 >> id_provider=files >> auth_provider=krb5 >> krb5_server=srva.example.com >> krb5_kpasswd=srva.example.com >> krb5_realm=EXAMPLE.COM >> dns_discovery_domain=EXAMPLE.COM >> krb5_store_password_if_offline=true >> >> Is this a supported configuration for offline logins with cached >> credentials? >> >> Thanks >> > -- > _______________________________________________ > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste... > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- _______________________________________________ sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Hello, this did the trick, thank you. I am grateful for your help and so if desired I can contribute to the doc. Please let me know how to proceed.

Thank you again On Fri, May 17, 2024, 11:40 AM Techie <techchavez(a)gmail.com&gt; wrote: > This is very encouraging, thank you so much. I will try this and report > back. > > Thank you > > On Fri, May 17, 2024, 1:10 AM Alexey Tikhonov <atikhono(a)redhat.com&gt; > wrote: > >> Hi, >> >> On Fri, May 17, 2024 at 9:33 AM Techie <techchavez(a)gmail.com&gt; wrote: >> >>> Hello again, my offline authentication works, however, if I reboot >>> while offline it no longer works and the cached password is removed from >>> the cache db. I mean that ldbsearch no longer reveals a cached password for >>> my user. >>> >> >> Try to `touch /etc/passwd` without reboot - I guess it will have the >> same effect. >> >> I can't find ticket right now, but there was a bug reported that 'files >> provider' loses cached password hash while rebuilding cache (and it >> rebuilds entire cache at every startup and every /etc/passwd&group file >> event) >> >> This bug won't be fixed. Files provider is deprecated and planned for >> eventual removal. >> >> 'proxy provider' with 'lib = files' is a substitute for your use case. >> >> https://sssd.io/docs/files-provider-deprecation.html doesn't describe >> your case directly, but hopefully still can help. >> >> If you could try this and then contribute a new section to this doc - it >> would be great. >> >> >> >> >>> >>> I use the passwd file as the ID provider and krb5 as the auth provider. >>> >>> [pam] >>> >>> offline_credential_expiration = 0 >>> >>> [domain/EXAMPLE.COM] >>> cache_credentials=true >>> id_provider=files >>> auth_provider=krb5 >>> krb5_server=srva.example.com >>> #krb5_kpasswd=srva.example.com >>> krb5_realm=EXAMPLE.COM <http://example.com/> >>> dns_discovery_domain=EXAMPLE.COM <http://example.com/> >>> >>> Not sure why the cached entry for my user is removed from >>> /var/lib/sss/db/cache_EXAMPLE.COM.ldb >>> >>> I've been fighting with this for a while so any help would be >>> appreciated. >>> >>> Thank you >>> >>> >>> On Sun, Sep 17, 2023, 12:01 PM Techie <techchavez(a)gmail.com&gt; wrote: >>> >>>> Hi >>>> >>>> Trying to use cached creds with local users in the passwd file >>>> authenticating via kerberos. >>>> I have id_provider set to files and auth_provider set to krb5(AD DC). >>>> Online authentication works fine however when I disconnect the network >>>> authentication fails. The computer is not joined to a domain, I am only >>>> leveraging the domain/realm for authentication purposes >>>> >>>> Relevant entries >>>> [pam] >>>> offline_credentials_expiration = 7 >>>> >>>> [domain] >>>> cache_credentials=true >>>> account_cache_expiration=8 >>>> id_provider=files >>>> auth_provider=krb5 >>>> krb5_server=srva.example.com >>>> krb5_kpasswd=srva.example.com >>>> krb5_realm=EXAMPLE.COM >>>> dns_discovery_domain=EXAMPLE.COM >>>> krb5_store_password_if_offline=true >>>> >>>> Is this a supported configuration for offline logins with cached >>>> credentials? >>>> >>>> Thanks >>>> >>> -- >>> _______________________________________________ >>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org >>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste... >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> -- >> _______________________________________________ >> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste... >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > -- _______________________________________________ sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue