On (18/03/14 15:35), kevin sullivan wrote:
After trying for several days, I want to ask if this is even
possible:
I am running CentOS 6.4 and I have sssd-1.9.2-82 installed. I would like to
I would
recommend to update to CentOS 6.5
(lot of crashes and bugs were fixed in 6.5)
log into my machine by querying an OpenLDAP server running else where.
The
big difference that I have from the normal sssd setup, is I only want to
use the local Unix accounts (/etc/passwd and /etc/shadow) if my LDAP server
is offline.
So how do I do this? Should I be able to do all of this through pam? Either
way, the issue I am seeing with sssd is the return value of pam when sssd
can't connect to my ldap server. It always returns 'user_unknown' instead
of 'authinfo_unavail' as I would expect. Am I configuring something
incorrectly?
/etc/pam.d/password-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [success=done new_authtok_reqd=done authinfo_unavail=ignore
default=die] pam_sss.so forward_pass
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
You can use authconfig to configure pam-stack and nsswitch on CentOS/Fedora
This is part of my /etc/pam.d/password-auth
----------------------------------------------------------------------
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
----------------------------------------------------------------------
/etc/sssd/sssd.conf:
[domain/default]
debug_level = 9
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_access_filter = memberOf=cn=group,ou=Roles,dc=example,dc=com
ldap_group_member = memberUid
ldap_group_search_base = ou=Roles,dc=example,dc=com
chpass_provider = ldap
ldap_uri = ldap://test-server/
[sssd]
debug_level = 9
services = pam
config_file_version = 2
domains = default
[nss]
debug_level = 9
[pam]
debug_level = 9
[sudo]
debug_level = 9
[autofs]
debug_level = 9
[ssh]
debug_level = 9
[pac]
debug_level = 9
/var/log/sssd/sssd_default.log:
(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [sbus_message_handler]
(0x4000): Received SBUS method [getAccountInfo]
(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [be_get_account_info]
(0x0100): Got request for [3][1][name=user]
(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [ldb] (0x4000): Added timed
event "ltdb_callback": 0x196b8f0
(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [ldb] (0x4000): Added timed
event "ltdb_timeout": 0x196c2b0
(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [ldb] (0x4000): Destroying
timer event 0x196c2b0 "ltdb_timeout"
(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [ldb] (0x4000): Ending timer
event 0x196b8f0 "ltdb_callback"
(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [acctinfo_callback]
(0x0100): Request processed. Returned 1,11,Offline
SSSD could not connect to the
LDAP server.
We will need whole log file sssd_default.log.
LS