On (07/03/16 12:30), Hauke Fath wrote:
On Mon, 7 Mar 2016 12:14:17 +0100, Lukas Slebodnik wrote:
On (07/03/16 11:31), Hauke Fath wrote:
# getent passwd -s sss wtestman wtestman:*:580:504:Walter A. Testman:/home/wtestman:/bin/tcsh # getent shadow -s sss wtestman # getent shadow -s nis wtestman wtestman:$TOPSECRET:10779:0:99999:7:::
That's correct. sssd does not provide shadow maps.
That's why I followed the NIS example in https://bugzilla.redhat.com/show_bug.cgi?id=578463 and configured nsswitch.conf like
yes, but in NIS example there is used "auth_provider = krb5" and you want to use "auth_provider = proxy". I do not have and experience with NIS
But it might be related to following output.
# getent passwd -s sss wtestman wtestman:*:580:504:Walter A. Testman:/home/wtestman:/bin/tcsh
^ IIRC If you want to check password with pam_unix then there shoudl be "x" instead of "*"
Btw is there a difference beween: getent passwd -s sss wtestman and getent passwd -s nis wtestman
(you might temporary add "nis" for passwd in nsswitch.conf)
passwd files sss group files sss shadow files nis
as mentioned.
Therefore you will need to have nis for shadow in /etc/nsswitch.conf and then I cannot see a benefit of using sssd if you cannot get rid of nis. in nsswitch.conf.
Well, it would still cache user and group information, which is probably accessed more frequently than the password.
FTR, I got the
auth_provider = proxy proxy_pam_target = none
You set pam target to "none" What is a content of file /etc/pam.d/none ?
Ah.
I would also recommend to look into /var/log/secure and not only into sssd logs.
I was under the impression that 'none' had special meaning, like for auth_provider? Certainly the logs do not mention a file not found...
BTW why do you need/want to use NIS. You can achieve the same with LDAP/FreeIPA
We use NIS here, and I figured sssd might help with a transition towards LDAP. But it has to work with NIS first.
I hope it will be jsut transition and not final state :-)
LS