Package: libpam-sss Version: 2.8.2-4 Severity: wishlist Here's the config file I am using:
$ cat /usr/share/pam-configs/sss-gss Name: Authenticate if the user can obtain a valid Kerberos ticket for the local host Default: yes Priority: 512 Auth-Type: Primary Auth: [success=end default=ignore] pam_sss_gss.so Auth-Initial: [success=end default=ignore] pam_sss_gss.so However it can't be added to the package yet because it will break authentication for non-local users (beacuse we use the 'use_first_pass' option with pam_sss.so when it's not the initial module, so a non-local user is not able to log in when pam_sss.so is not the initial module and no prior modules stashed a password for it to consume). For the time being we need 'use_first_pass' so that non-local users don't get prompted by _both_ pam.unix.so and pam_sss.so. Ideally pam_sss.so would have a 'try_first_pass' option which would unblock us from shipping an sss-gss pam config. I've filed an RFE here: <https://github.com/SSSD/sssd/issues/6946>. -- System Information: Debian Release: 12.1 APT prefers stable-updates APT policy: (550, 'stable-updates'), (550, 'stable-security'), (550, 'stable'), (530, 'testing'), (520, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-10-amd64 (SMP w/2 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Permissive - Policy name: default Versions of packages libpam-sss depends on: ii libc6 2.36-9+deb12u1 ii libgssapi-krb5-2 1.20.1-2 ii libpam-pwquality 1.4.5-1+b1 ii libpam-runtime 1.5.2-6 ii libpam0g 1.5.2-6 Versions of packages libpam-sss recommends: ii sssd 2.8.2-4 libpam-sss suggests no packages. -- no debconf information