Hi again,
Now I am confused - do I need Pac service or not.
Our SSSD is configured against AD as id/auth provider and with option "id_mapping
=false".
So far I can imagine on Linux PC side we need only resolve groups with POSIX gid
attribute.
Maybe my assumption is wrong, and using Pac is smarter and more flexible and not binding
us only to Posix groups.
Even if I haven't set pac service, I see in krb5_child.log entry:
"sss_send_pac failed: group membership for user xxxx may not be correct";
Is it advantage having PAC service in our case?
Best,
Longina
-----Oprindelig meddelelse-----
Fra: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-
bounces(a)lists.fedorahosted.org] På vegne af Jakub Hrozek
Sendt: 16. juli 2015 23:11
Til: sssd-users(a)lists.fedorahosted.org
Emne: Re: [SSSD-users] ssh passwordless with sssd-1.12.5
On Fri, Jul 10, 2015 at 04:50:39PM +0000, Longina Przybyszewska wrote:
> Hi,
> .k5login doesn't help . Homedir is mounted with sec=krb5 and not
> accessible on ssh server side Until get validated krb principal credentials -
which seems to be my problem.
>
> I have noticed , I have no libpam-krb5 module in PAM
That's fine, you don't need pam_krb5 to process PAC.
> I have libpam-sss module, which seems to be enough to deal with krb
> principals for NFS-mounts and GUI logins and ssh logins with passwd.
PAC is processed by the PAC responder in sssd. The data can be fed to PAC
responder either from libkrb5 (invoked by SSHD) directly when using GSSAPI
auth or, when using password based auth, the SSSD's krb5_child process
feeds the data into the PAC responder.
It's a bit confusing and we have a ticket open to better describe the
relationship in a document..
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users