I finally got it (almost) working!
Instead of finding a pam_nis.so to do the authentication I decided to rely on pam_unix.so,
which already knows how to do it. However, in order for this to work, I had to somehow
provide the passwords to pam_unix.so. SSSD can't do it as it clobbers the password
field (with an asterisk, by default). So I configured:
1- the NIS server to send the passwd and shadow maps separately;
2- nsswitch.conf to load the passwd and group maps via SSSD but the shadow via nis;
3- SSSD to replace the password field in passwd with 'x' instead of '*'
(the pwfield option), so that pam_unix.so interprets it as 'look in the shadow
map';
4- proxy_pam_target to point to a custom target 'sssd-nis' with contents:
auth requisite pam_unix.so nullok_secure
SSSD can now cache the id lookups and the auth attempts. Communication with the NIS server
only happens at auth time.
The only thing not working: if I block communication to the NIS server (by iptables) and
then try to ssh into the NIS client machine I get:
testuser@machine password:
Authenticated with cached credentials.
Authentication failed.
It seems the cache works, but then something breaks... I added some logs below over the
relevant 2-second auth failure period.
Thanks for the help!
# syslog:
sssd[12810]: do_ypcall: clnt_call: RPC: Unable to send; errno = Operation not permitted
sssd[12810]: YPBINDPROC_DOMAIN: Domain not bound
# auth.log:
sshd[13434]: pam_sss(sshd:auth): User info message: Authenticated with cached
credentials.
sshd[13434]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh
ruser= rhost=192.168.xxx.xxx user=testuser
Failed password for testuser from 192.168.xxx.xxx port 50400 ssh2
sshd[13434]: fatal: Access denied for user testuser by PAM account configuration
[preauth]
# sssd_pam.log
[sss_cmd_get_version] (0x0200): Received client version [3].
[sss_cmd_get_version] (0x0200): Offered version [3].
[sss_parse_name_for_domains] (0x0200): name 'testuser' matched without domain,
user is testuser
[sss_parse_name_for_domains] (0x0200): name 'testuser' matched without domain,
user is testuser
[sss_dp_get_reply] (0x0010): The Data Provider returned an error
[org.freedesktop.sssd.Error.DataProvider.Offline]
[cache_req_common_dp_recv] (0x0040): CR #13: Data Provider Error: 3, 5, Failed to get
reply from Data Provider
[pam_dp_process_reply] (0x0200): received: [9 (Authentication service cannot retrieve
authentication info)][my.domain.name]
[pam_reply] (0x0200): pam_reply called with result [9]: Authentication service cannot
retrieve authentication info.
[sysdb_set_entry_attr] (0x0200): Entry
[name=testuser(a)my.domain.name,cn=users,cn=my.domain.name,cn=sysdb] has set [cache,
ts_cache] attrs.
[pam_reply] (0x0200): pam_reply called with result [0]: Success.
[pam_reply] (0x0200): blen: 48
[client_recv] (0x0200): Client disconnected!
# sssd_my.domain.name.log:
[dp_get_account_info_handler] (0x0200): Got request for
[0x3][BE_REQ_INITGROUPS][name=testuser(a)my.domain.name]
[get_initgr] (0x0040): getpwnam failed [6]: No such device or address
[proxy_account_info] (0x0040): proxy returned UNAVAIL error, going offline!
[dp_get_account_info_handler] (0x0200): Got request for
[0x3][BE_REQ_INITGROUPS][name=testuser(a)my.domain.name]
[sbus_server_init_new_connection] (0x0200): Entering.
[sbus_server_init_new_connection] (0x0200): Adding connection 0x55aadbd89ab0.
[sbus_server_init_new_connection] (0x0200): Got a connection
[proxy_client_register] (0x0200): Proxy client [5] connected