Hello,
I'm trying to set sssd up so that I use a local passwd file for accounts and Kerberos
for authentication, until AD is set up with the correct attributes (which will be a
while). I have Kerberos working via krb5.conf, and LDAP sort of works via ldap.conf
(except the important parts) but I will need to switch to SSSD eventually. I was hoping to
get this going now with local accounts to make things easier down the road. This is on
RHEL 5 right now. I'm hoping 6 isn't much different.
I'm having some trouble (shocker!) so my first question is: is this configuration
possible?
My sssd.conf is pretty basic so far:
[sssd]
config_file_version = 2
domains = DEFAULT
services = nss, pam
[nss]
[pam]
[domain/DEFAULT]
auth_provider = krb5
id_provider = proxy
proxy_lib_name = files
krb5_server =
kerberos.foo.com
krb5_realm =
IT.FOO.COM
These are some of the errors I'm seeing:
[sssd[pam]] [sss_dp_get_reply] (4): Got reply (3, 19, Initgroups call not supported) from
Data Provider
[sssd[pam]] [pam_check_user_dp_callback] (2): Unable to get information from Data
Provider
[sssd[pam]] [pam_check_user_search] (4): Requesting info for [jce54@DEFAULT]
[pam_check_user_search] (2): No matching domain found for [jce54], fail!
sshd[6592]: pam_sss(sshd:auth): received for user jce54: 10 (User not known to the
underlying authentication module)
This suggests to me that it's not talking with NSS somehow...
/etc/pam.d/system-auth:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
#auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
#account sufficient pam_ldap.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
#account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
#password sufficient pam_krb5.so use_authtok minimum_uid=1000
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session sufficient pam_sss.so
session required pam_unix.so
I read in one of the man pages I think that sssd will append the krb5_realm to the
username if there isn't a domain there, and I'm logging in with jce54, so it
*should* I think use jce54(a)IT.FOO.COM, but doesn't appear to do anything Kerberos-wise
so maybe that's not an issue (yet).
Thanks,
Josh