In our environment, regular users authenticate via sssd/ldap, and
emergency user(s) via PAM if/when sssd + RSA securid fails. Still
running sssd 1.14.2 on el6.
On 10/16/2017 11:04 AM, hedrick(a)rutgers.edu wrote:
On certain servers I want IPA authentication but the local user/group
database. With sssd 1.14, I could specify pam as the only service and put files in
/etc/nsswitch.conf. With sssd 1.15, I get extra groups with that setting. I had to set
id_provider=none, which is undocumented. I'd be happy to see id_provider=files for
this situation, though id_provider=none with nsswitch seems to do what I need.
I do have a user with a static password, for cases where services are down. That can be
done in pam, by having pam_unix as well as pam_sss. It would be interesting to have sssd
handle this kind of mixed case, but it seems like this is what pam is for.
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org