Hi,
Having some RHEL 8 machines as vdi on a VMware Horizon desktop pool, we see that when reconnecting to a machine, system-auth and its pam-stack is executed (at least I think so). Is there a way to make pam_sss actually fetch a new TGT when doing so, just like entering a password when the screensaver does?
Best, Francis
Am Thu, Apr 07, 2022 at 01:34:27PM -0000 schrieb Francis Augusto Medeiros-Logeay:
Hi,
Having some RHEL 8 machines as vdi on a VMware Horizon desktop pool, we see that when reconnecting to a machine, system-auth and its pam-stack is executed (at least I think so). Is there a way to make pam_sss actually fetch a new TGT when doing so, just like entering a password when the screensaver does?
Hi,
iirc there is a special VMware PAM module which let user pass without entering the password if they are already authenticated at the VMware infrastructure. So I would expect that pam_sss is not called at all. Additionally, pam_sss would always need a password to get a TGT with the help of the SSSD backend.
bye, Sumit
Best, Francis _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Am Thu, Apr 07, 2022 at 08:19:47PM +0200 schrieb Francis Augusto Medeiros-Logeay:
-- Francis Augusto Medeiros-Logeay Oslo, Norway
Hi,
iirc there is a special VMware PAM module which let user pass without entering the password if they are already authenticated at the VMware infrastructure. So I would expect that pam_sss is not called at all. Additionally, pam_sss would always need a password to get a TGT with the help of the SSSD backend.
bye, Sumit
Thanks Sumit. I traced what happens when I connect again via the Horizon client. It seems that system-auth, and not the VMware module, is called (well, at least not the vmtoolsd under pam.d). I would assume a password is sent, as this scenario I am mentioning involves passwords - like for example when one closes the client and connect again.
Hi,
can you check /var/log/secure or the journal to see which PAM modules are used during authentication? Additionally setting 'debug_level = 9' in the [pam] and [domain/...] sections of sssd.conf would enable debugging in SSSD which might help to understand if SSSD is called suring authentication and if yes what happens to the TGT request.
bye, Sumit
Best, Francis
sssd-users@lists.fedorahosted.org