9:53 a.m.
To configure my system I've followed the instructions at [1] but there
are two things not quite right:
1. All normal local users (i.e. not /root/) get prompted twice at login.
My testing shows that it's only the 2nd time the password must be
correct.
2. I can't use ~su~ to become root (though =sudo= works, so it's not the
end of the world).
My PAM-fu is rather limited, so I don't even know where I should start
looking to fix this. Maybe someone on this list can see right away
what's wrong with those instructions, or at least can offer me a pointer
on where to turn to figure it out?
/M
[1]:
https://wiki.archlinux.org/index.php/LDAP_authentication#Online_and_Offli...
--
Magnus Therning, magnus.therning(a)cipherstone.com
Cipherstone Technologies AB
Theres Svenssons gata 10, 417 55 Gothenburg, Sweden
Sometimes I wonder whether the world is being run by smart people who
are putting us on or by imbeciles who really mean it.
-- Mark Twain
Clearly, it's the imbeciles. And they really mean it.
-- DBT
10:13 a.m.
On (01/02/16 16:53), Magnus Therning wrote:
To configure my system I've followed the instructions at [1] but there
are two things not quite right:
1. All normal local users (i.e. not /root/) get prompted twice at login.
My testing shows that it's only the 2nd time the password must be
correct.
2. I can't use ~su~ to become root (though =sudo= works, so it's not the
end of the world).
My PAM-fu is rather limited, so I don't even know where I should start
looking to fix this. Maybe someone on this list can see right away
what's wrong with those instructions, or at least can offer me a pointer
on where to turn to figure it out?
/M
[1]:
https://wiki.archlinux.org/index.php/LDAP_authentication#Online_and_Offli...
You might inspire in fedora system-auth
Thanks a lot!M-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3
authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Nick
>--
>Magnus Therning, magnus.therning(a)cipherstone.com
>Cipherstone Technologies AB
>Theres Svenssons gata 10, 417 55 Gothenburg, Sweden
>
>Sometimes I wonder whether the world is being run by smart people who
>are putting us on or by imbeciles who really mean it.
> -- Mark Twain
>Clearly, it's the imbeciles. And they really mean it.
> -- DBT
>_______________________________________________
>sssd-users mailing list
>sssd-users(a)lists.fedorahosted.org
>https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
10:34 a.m.
On Mon, Feb 01, 2016 at 05:13:51PM +0100, Lukas Slebodnik wrote:
On (01/02/16 16:53), Magnus Therning wrote:
>
>To configure my system I've followed the instructions at [1] but there
>are two things not quite right:
>
>1. All normal local users (i.e. not /root/) get prompted twice at login.
> My testing shows that it's only the 2nd time the password must be
> correct.
>2. I can't use ~su~ to become root (though =sudo= works, so it's not the
> end of the world).
>
>My PAM-fu is rather limited, so I don't even know where I should start
>looking to fix this. Maybe someone on this list can see right away
>what's wrong with those instructions, or at least can offer me a pointer
>on where to turn to figure it out?
>
>/M
>
>[1]:
https://wiki.archlinux.org/index.php/LDAP_authentication#Online_and_Offli...
>
You might inspire in fedora system-auth
>Thanks a lot!M-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3
authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
I would recommend to use the Fedora style as well. Nevertheless in the
archlinux examples you might try to replace
auth sufficient pam_sss.so
by
auth sufficient pam_sss.so forward_pass
because by default pam_sss does not put the password on the PAM stack to
avoid leaking the password.
HTH
bye,
Sumit
> >
> >Nick
> >
>
>
>
> >--
> >Magnus Therning, magnus.therning(a)cipherstone.com
> >Cipherstone Technologies AB
> >Theres Svenssons gata 10, 417 55 Gothenburg, Sweden
> >
> >Sometimes I wonder whether the world is being run by smart people who
> >are putting us on or by imbeciles who really mean it.
> > -- Mark Twain
> >Clearly, it's the imbeciles. And they really mean it.
> > -- DBT
> >_______________________________________________
> >sssd-users mailing list
> >sssd-users(a)lists.fedorahosted.org
> >https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
7:52 a.m.
Sumit Bose writes:
On Mon, Feb 01, 2016 at 05:13:51PM +0100, Lukas Slebodnik wrote:
> On (01/02/16 16:53), Magnus Therning wrote:
> >
> >To configure my system I've followed the instructions at [1] but there
> >are two things not quite right:
> >
> >1. All normal local users (i.e. not /root/) get prompted twice at login.
> > My testing shows that it's only the 2nd time the password must be
> > correct.
> >2. I can't use ~su~ to become root (though =sudo= works, so it's not the
> > end of the world).
> >
> >My PAM-fu is rather limited, so I don't even know where I should start
> >looking to fix this. Maybe someone on this list can see right away
> >what's wrong with those instructions, or at least can offer me a pointer
> >on where to turn to figure it out?
> >
> >/M
> >
> >[1]:
https://wiki.archlinux.org/index.php/LDAP_authentication#Online_and_Offli...
> >
>
> You might inspire in fedora system-auth
> >Thanks a lot!M-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_fprintd.so
> auth [default=1 success=ok] pam_localuser.so
> auth [success=done ignore=ignore default=die] pam_unix.so nullok
try_first_pass
> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> auth sufficient pam_sss.so forward_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> password requisite pam_pwquality.so try_first_pass local_users_only retry=3
authtok_type=
> password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> -session optional pam_systemd.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
> session required pam_unix.so
> session optional pam_sss.so
I would recommend to use the Fedora style as well. Nevertheless in the
archlinux examples you might try to replace
auth sufficient pam_sss.so
by
auth sufficient pam_sss.so forward_pass
because by default pam_sss does not put the password on the PAM stack to
avoid leaking the password.
Thanks, that did it!
I did have a look at the settings in Debian too, but they were a bit
more complicated and it's unclear what the extra complexity actually
gives me. I have of course updated the Archlinux Wiki page.
If anyone else looks at the suggested settings there and see something
strange/sub-optimal/... then I'd really appreciate an email about it.
/M
--
Magnus Therning, magnus.therning(a)cipherstone.com
Cipherstone Technologies AB
Theres Svenssons gata 10, 417 55 Gothenburg, Sweden
Beauty is more important in computing than anywhere else in technology
because software is so complicated. Beauty is the ultimate defence
against complexity.
-- David Gelernter
3004
days inactive
3005
days old
sssd-users@lists.fedorahosted.org
3 comments
3 participants
participants (3)
-
Lukas Slebodnik -
Magnus Therning -
Sumit Bose