On 04/25/2014 04:39 PM, kevin sullivan wrote:
I am seeing an issue when I try to change a local user's password when SSSD (1.9.2-82.el6) is not running. I have two sets of users: users stored in ldap and users stored locally on my RHEL 6.4 machine. When able, I want to login as the ldap users and only fallback to the local users when I can't contact the ldap server. This is why I have pam configured like this:

password    requisite     pam_cracklib.so retry=3 minlen=10
password    sufficient    pam_sss.so forward_pass use_authtok
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

When SSSD is running, I can change the password of local users and ldap users. However, when I try to change the password of a local user when SSSD is not running, I see this error:

Changing password for user.
passd: Authentication token manipulation error.

I then added 'audit' and 'debug' options to the pam_unix module and saw this output in /var/log/secure:

Apr 25 16:01:21 localhost passwd: pam_sss(passwd:chauthtok): Request to sssd failed. Connection refused
Apr 25 16:01:21 localhost passwd: pam_unix(passwd:chauthtok): username [user] obtained
Apr 25 16:01:28 localhost passwd: pam_sss(passwd:chauthtok): Request to sssd failed. Connection refused
Apr 25 16:01:28 localhost passwd: pam_unix(passwd:chauthtok): username [user] obtained
Apr 25 16:01:28 localhost passwd: pam_unix(passwd:chauthtok): password - new password not obtained
Apr 25 16:01:28 localhost passwd: gkr-pam: couldn't update the 'login' keyring password: no old password was entered 

I know that I can comment out the password line in /etc/pam.d/system-auth-ac that references pam_sss, and the password change will work correctly. Also, I know that I can login using a local account when SSSD is stopped. Here is the auth section of my system-auth-ac:

auth        required      pam_env.so
auth        sufficient    pam_sss.so forward_pass
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

Am I misconfigured somehow? Does pam_sss support forwarding passwords when SSSD is stopped?


Are your local accounts same as remote ones?
If yes then this is wrong. SSSD supports caching and you should remove local accounts and not have duplicates. If SSSD offline you can make it cache a hash of the user password for the cases when SSSD is offline.
Password changes can't be done offline.
It is also recommended to have only root and local system accounts like oracle or tomcat or apache in /etc/passwd. Once you clean this up from the real user accounts put it in front of SSSD in PAM and NSS configuration so that root can always login. Other accounts should be just there but should not be interactive user accounts. The rest SSSD will take care of.


Thanks,

Kevin



_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users



-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.