Lukas,

Thanks for your input. I can't reproduce what I was seeing right now, so I can't send you my log files because I deleted them earlier to make issues easier to find (which in retrospect was dumb). But just to explain what I was talking about earlier, below are some more explanations.

>Do users from /etc/passwd have the same uid/name as user from LDAP?
Yes they can.

>I do not really understand what do you mean by "revert to local accounts if my
> ldap server is down."
What I mean is that I only want accounts from the LDAP server to be used when LDAP is up. So I would store root and all other system users in LDAP. If my LDAP server is online, I only want users to authenticate through LDAP, no local logins. The only time I want local accounts is if the LDAP server is no longer responsive.

>SSSD caches all information about authenticated users.
>It will be possible to authenticate even if LDAP server is down.
I don't know if I want to rely on caching as it depends on actually having to login as that user in the first place. This leads to inconsistency and hard to reproduce issues.

Thanks again for your help.

Kevin




On Tue, Mar 18, 2014 at 6:25 PM, Lukas Slebodnik <lslebodn@redhat.com> wrote:
On (18/03/14 17:42), kevin sullivan wrote:
>Lukas,
>
>Thank you for your quick response.
>
>>You can use authconfig to configure pam-stack and nsswitch on CentOS/Fedora
>>
>>This is part of my /etc/pam.d/password-auth
>>----------------------------------------------------------------------
>>auth        required      pam_env.so
>>auth        sufficient    pam_unix.so try_first_pass nullok
>>auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
>>auth        sufficient    pam_sss.so use_first_pass
>>auth        required      pam_deny.so

You wrote in the 1st mail:
>I only want to use the local Unix accounts (/etc/passwd and /etc/shadow)
>if my LDAP server is offline.
Do users from /etc/passwd have the same uid/name as user from LDAP?


>Won't this allow local accounts before network accounts? I only want to
>revert to local accounts if my ldap server is down.
>
Yes, local accounts have higher priority with this pam configuration.

I do not really understand what do you mean by "revert to local accounts if my
ldap server is down."

SSSD caches all information about authenticated users.
It will be possible to authenticate even if LDAP server is down.

LS
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users