On Fri, Jul 22, 2016 at 01:31:02PM +0000, Joakim Tjernlund wrote:
Trying to get make automatic keyring unlock work with pam_sss and it
fails :)
I have in my pam conf:
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_sss.so forward_pass use_first_pass
auth optional pam_gnome_keyring.so
auth optional pam_group.so
auth required pam_deny.so
But this fails to unlock the keyring, but if I move pam_gnome_keyring.so before
pam_sss.so
it works. It looks to as the forward_pass option fails to preserve the password.
Any pointers?
I think what you see is the behaviour of 'sufficient' control value.
From man pam.conf
"""
sufficient
if such a module succeeds and no prior required module has failed
the PAM framework returns success to the application or to the superior
PAM stack immediately without calling any further modules in the stack.
A failure of a sufficient module is ignored and processing of the PAM
module stack continues unaffected.
"""
So it makes sense to put pam_gnome_keyring.so before pam_sss and before
pam_unix as well for local users.
HTH
bye,
Sumit
>
> Jocke
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org