This is very encouraging,  thank you so much. I will try this and report back.

Thank you

On Fri, May 17, 2024, 1:10 AM Alexey Tikhonov <atikhono@redhat.com> wrote:
Hi,

On Fri, May 17, 2024 at 9:33 AM Techie <techchavez@gmail.com> wrote:
Hello again, my offline authentication works, however, if I reboot while offline it no longer works and the cached password is removed from the cache db. I mean that ldbsearch no longer reveals a cached password for my user.

Try to `touch /etc/passwd` without reboot - I guess it will have the same effect.

I can't find ticket right now, but there was a bug reported that 'files provider' loses cached password hash while rebuilding cache (and it rebuilds entire cache at every startup and every /etc/passwd&group file event)

This bug won't be fixed. Files provider is deprecated and planned for eventual removal.

'proxy provider' with 'lib = files' is a substitute for your use case.

https://sssd.io/docs/files-provider-deprecation.html doesn't describe your case directly, but hopefully still can help.

If you could try this and then contribute a new section to this doc - it would be great.


 

I use the passwd file as the ID provider and krb5 as the auth provider. 

[pam]

offline_credential_expiration = 0

[domain/EXAMPLE.COM]
cache_credentials=true
id_provider=files
auth_provider=krb5
krb5_server=srva.example.com
#krb5_kpasswd=srva.example.com
krb5_realm=EXAMPLE.COM
dns_discovery_domain=EXAMPLE.COM

Not sure why the cached entry for my user is removed from /var/lib/sss/db/cache_EXAMPLE.COM.ldb

I've been fighting with this for a while so any help would be appreciated.

Thank you


On Sun, Sep 17, 2023, 12:01 PM Techie <techchavez@gmail.com> wrote:
Hi

Trying to use cached creds with local users in the passwd file authenticating via kerberos.
I have id_provider set to files and auth_provider set to krb5(AD DC). Online authentication works fine however when I disconnect the network authentication fails. The computer is not joined to a domain, I am only leveraging the domain/realm for authentication purposes

Relevant entries
[pam]
offline_credentials_expiration = 7

[domain]
cache_credentials=true
account_cache_expiration=8
id_provider=files
auth_provider=krb5
krb5_server=srva.example.com
krb5_kpasswd=srva.example.com
krb5_realm=EXAMPLE.COM
dns_discovery_domain=EXAMPLE.COM
krb5_store_password_if_offline=true

Is this a supported configuration for offline logins with cached credentials?

Thanks
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue