On Fri, 2013-04-05 at 09:16 -0400, Sutton, Harry (GSSE) wrote:
On 04/05/2013 05:22 AM, Jakub Hrozek wrote:
> Hi,
>
> are you using pam_krb5 along with SSSD authentication? Is there a reason
> not to use pam_sss.so ?
>
> In general I would not recommend configuring the PAM stack yourself but
> rather let authconfig do the job. This call would let authconfig
> generate /etc/nsswitch.conf /etc/pam.d/system-auth and
> /etc/pam.d/password-auth but would let you keep using the sssd.conf:
>
> authconfig --enablesssdauth --enablesssd --update
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
I used the authconfig command on my Fedora laptop, but I'm not certain I
did so on the RHEL workstation.
I have both lines in system-auth and password-auth:
auth sufficient pam_sss.so use_first_pass
auth sufficient pam_krb5.so use_first_pass
...
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
...
password sufficient pam_sss.so use_authtok
password sufficient pam_krb5.so use_authtok
...
session optional pam_sss.so
session optional pam_krb5.so
On my workstation, I had only the pam_sss.so lines, and GDM logins were
not working; after adding the pam_krb5.so lines to match my laptop, GDM
logins worked for the first time.
Remove pam_krb5 lines and find out why pam_sss fails and solve that.
By performing auth via a spearate module sssd will not be able to give
you half the features you want, including offline access via cached
credentials, renewal of credentials, and so on.
Simo.
--
Simo Sorce * Red Hat, Inc * New York