On 7 Dec 2021, at 00:22, Caderize Caderize <caderize(a)gmail.com>
wrote:
Hi William,
the pam, for users created manually is working fine to me.
The only problem is related to synced users from AD whch seems doesn't have all the
necessary objectClasses.
The issue is *not* related to objectClasses. As mentioned I reproduced your config and it
worked for me, with an entry with the same objectClasses.
However, this is ldapserver pam service:
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_sss.so use_first_pass debug
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
You need an "account" module section in your pam file here, else the
pam_acct_mgmt step to allow the account will fail. That's likely your problem here.
Second, you don't need pam_unix. I think your file should be.
auth sufficent pam_sss.so use_first_pass ignore_unknown_user
auth required pam_deny.so
account sufficient pam_sss.so ignore_unknown_user
account required pam_deny.so
If that doesn't work, you need to add 'debug_log = 5' to [domain/lab.local]
and nsslapd-errorlog-level 81920 to your directory server, and then provide the logs for
an authentication from /var/log/dirsrv/slapd-instance/errors, and
/var/log/sssd/sssd_lab.local.log
Thanks,
and this is sssd.con file:
[sssd]
domains = lab.local
config_file_version = 2
services = nss, pam
debug_level = 10
[domain/lab.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = LAB.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = lab.local
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
#enumerate = true
auth_provider = ad
chpass_provider = ad
ldap_schema = ad
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
Hope to have a soonest reply from you.
Best Regards
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Sincerely,
William Brown
Senior Software Engineer, Identity and Access Management
SUSE Labs, Australia