[re-sent after subscribing with my sender address]
All,
I am working on deploying sssd to a number of Debian Linux workstations, and it's slow-going... and I could use some help.
The workstations mount users' homes and a few public shares over NFS, using automount. User information, automounter maps etc are shared through NIS. Besides caching, easy switching of backends (say, to Kerberos and LDAP) is why I want to move to sssd. But it looks like NIS support is a bit under-documented.
The installed ssd version ("wheezy-backports") is
# dpkg-query -l sssd Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-============-============-================================= ii sssd 1.11.7.3-3~b amd64 System Security Services Daemon - #
Debian updates pam.d/common-*
# fgrep sss /etc/pam.d/* /etc/pam.d/common-account:account [default=bad success=ok user_unknown=ignore] pam_sss.so /etc/pam.d/common-auth:auth [success=1 default=ignore] pam_sss.so use_first_pass /etc/pam.d/common-password:password sufficient pam_sss.so /etc/pam.d/common-session:session optional pam_sss.so #
and nsswitch.conf, funny enough by appending the sss modules
# fgrep sss /etc/nsswitch.conf passwd: files nis sss group: files nis sss shadow: files nis sss netgroup: nis sss sudoers: files sss #
and does not install any /etc/sssd/sssd.conf, so the system is broken after installing sssd and friends.
My sssd.conf is
[sssd]
config_file_version = 2 reconnection_retries = 3 debug_level = 0x0070 services = nss, pam domains = spgnts
[nss]
filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 0x0070
[pam]
reconnection_retries = 3 pam_verbosity = 3 debug_level = 0x0070
[domain/spgnts]
debug_level = 0x0070 enumerate = true
id_provider = proxy proxy_lib_name = nis min_id = 500
auth_provider = proxy proxy_pam_target = none
-- if there is any further configuration detail you consider relevant to the issue, please let me know.
When I start all this, things work until I take out the 'nis' entries from nsswitch.conf. To my understanding, as long as they are in, queries never go to the nss_sss module.
Once I take out the 'nis' entries, I can log in as root on the console, I can log in as a regular user over ssh (public key auth), but all other login attempts time out. kdm mutters about pam_setcred() problems on the console.
The /var/log/sssd/* logs are voluminous, but virtually free of any helpful information. Upon login, sssd appears to start a bunch of proxy_child processes, which hang there until timeout, at which point they get killed. I tried copying a commandline from ps, and strace a proxy_child invocation, but the trace didn't speak to me.
I have searched the web far and wide, but there is little more than lip service to using the proxymodule, much less NIS. As of now, my hunch is the problem lies with PAM - how do you configure the domain's auth_provider for NIS? I came across "#proxy_auth_target = nis_pam_proxy", but it wasn't documented.
Thanks for reading this far; any comments are most welcome!
Cheerio, Hauke