After trying for several days, I want to ask if this is even possible:

I am running CentOS 6.4 and I have sssd-1.9.2-82 installed. I would like to log into my machine by querying an OpenLDAP server running else where. The big difference that I have from the normal sssd setup, is I only want to use the local Unix accounts (/etc/passwd and /etc/shadow) if my LDAP server is offline.

So how do I do this? Should I be able to do all of this through pam? Either way, the issue I am seeing with sssd is the return value of pam when sssd can't connect to my ldap server. It always returns 'user_unknown' instead of 'authinfo_unavail' as I would expect. Am I configuring something incorrectly?

/etc/pam.d/password-auth:

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so

auth [success=done new_authtok_reqd=done authinfo_unavail=ignore default=die] pam_sss.so forward_pass

auth sufficient pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 500 quiet

auth required pam_deny.so

/etc/sssd/sssd.conf:

[domain/default]

debug_level = 9

ldap_search_base = dc=example,dc=com

id_provider = ldap

auth_provider = ldap

access_provider = ldap

ldap_access_filter = memberOf=cn=group,ou=Roles,dc=example,dc=com

ldap_group_member = memberUid

ldap_group_search_base = ou=Roles,dc=example,dc=com

chpass_provider = ldap

ldap_uri = ldap://test-server/

[sssd]

debug_level = 9

services = pam

config_file_version = 2

domains = default

[nss]

debug_level = 9

[pam]

debug_level = 9

[sudo]

debug_level = 9

[autofs]

debug_level = 9

[ssh]

debug_level = 9

[pac]

debug_level = 9

/var/log/sssd/sssd_default.log:

(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo]

(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [be_get_account_info] (0x0100): Got request for [3][1][name=user]

(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x196b8f0

(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x196c2b0

(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [ldb] (0x4000): Destroying timer event 0x196c2b0 "ltdb_timeout"

(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [ldb] (0x4000): Ending timer event 0x196b8f0 "ltdb_callback"

(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline

(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [sbus_dispatch] (0x4000): dbus conn: 1964B00

(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [sbus_dispatch] (0x4000): Dispatching.

/var/log/sssd/sssd_pam.log:

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected to privileged pipe!

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x6cc030][19]

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x6cc030][19]

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'user' matched without domain, user is user

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): domain: not set

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): user: user

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): service: sshd

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): rhost: test-server

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 8

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): priv: 1

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 10665

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/default/user]

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41b300:3:user@default]

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [default][3][1][name=user]

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x6cdf20

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41b300:3:user@default]

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x6cdf20

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 6C8DE0

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 1 errno: 11 error message: Offline

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_check_user_dp_callback] (0x0040): Unable to get information from Data Provider

Error: 1, 11, Offline

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [user@default]

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x6d7360

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x6d7480

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [ldb] (0x4000): Destroying timer event 0x6d7480 "ltdb_timeout"

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [ldb] (0x4000): Ending timer event 0x6d7360 "ltdb_callback"

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_check_user_search] (0x0080): No matching domain found for [user], fail!

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [10].

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_reply] (0x0100): blen: 8

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41b300:3:user@default]

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x6cc030][19]

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [client_recv] (0x0200): Client disconnected!

(Tue Mar 18 19:09:52 2014) [sssd[pam]] [client_destructor] (0x2000): Terminated client [0x6cc030][19]

I tried to provide only the portions of files that I found relevant. I can provide more upon request.

Thanks,

Kevin