On 04/25/2014 04:39 PM, kevin sullivan wrote:
I am seeing an issue when I try to change a local user's password
when
SSSD (1.9.2-82.el6) is not running. I have two sets of users: users
stored in ldap and users stored locally on my RHEL 6.4 machine. When
able, I want to login as the ldap users and only fallback to the local
users when I can't contact the ldap server. This is why I have pam
configured like this:
password requisite pam_cracklib.so retry=3 minlen=10
password sufficient pam_sss.so forward_pass use_authtok
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password required pam_deny.so
When SSSD is running, I can change the password of local users and
ldap users. However, when I try to change the password of a local user
when SSSD is not running, I see this error:
Changing password for user.
passd: Authentication token manipulation error.
I then added 'audit' and 'debug' options to the pam_unix module and
saw this output in /var/log/secure:
Apr 25 16:01:21 localhost passwd: pam_sss(passwd:chauthtok): Request
to sssd failed. Connection refused
Apr 25 16:01:21 localhost passwd: pam_unix(passwd:chauthtok): username
[user] obtained
Apr 25 16:01:28 localhost passwd: pam_sss(passwd:chauthtok): Request
to sssd failed. Connection refused
Apr 25 16:01:28 localhost passwd: pam_unix(passwd:chauthtok): username
[user] obtained
Apr 25 16:01:28 localhost passwd: pam_unix(passwd:chauthtok): password
- new password not obtained
Apr 25 16:01:28 localhost passwd: gkr-pam: couldn't update the 'login'
keyring password: no old password was entered
I know that I can comment out the password line in
/etc/pam.d/system-auth-ac that references pam_sss, and the password
change will work correctly. Also, I know that I can login using a
local account when SSSD is stopped. Here is the auth section of my
system-auth-ac:
auth required pam_env.so
auth sufficient pam_sss.so forward_pass
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
Am I misconfigured somehow? Does pam_sss support forwarding passwords
when SSSD is stopped?
Are your local accounts same as remote ones?
If yes then this is wrong. SSSD supports caching and you should remove
local accounts and not have duplicates. If SSSD offline you can make it
cache a hash of the user password for the cases when SSSD is offline.
Password changes can't be done offline.
It is also recommended to have only root and local system accounts like
oracle or tomcat or apache in /etc/passwd. Once you clean this up from
the real user accounts put it in front of SSSD in PAM and NSS
configuration so that root can always login. Other accounts should be
just there but should not be interactive user accounts. The rest SSSD
will take care of.
Thanks,
Kevin
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.