On Tue, 2021-12-14 at 10:23 +0100, Sumit Bose wrote: > Am Mon, Dec 13, 2021 at 06:14:13PM -0000 schrieb Sam Morris via FreeIPA-users: > > > > > I've filed https://bugs.debian.org/1001644 to discuss whether pam_sss can > > be moved before pam_unix in the Debian packaging. > > Btw, in RHEL and Fedora we use authselect > (https://github.com/authselect/authselect) to flexible manage the > system's PAM configuration. Maybe this is something Debian would like to > adopt as well.
As a user that would sure be nice. Debian has pam-auth-update which does the same thing but doesn't really have any user-configurable knobs. But I don't plan on carrying the torch to get pam-auth-update adopted... :) Regardless, I found that bumping the priority of the sss pam-auth- update config file to a value greater than that of the unix config file causes pam-auth-update to do the right thing and we get: # here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_sss.so forward_pass auth [success=1 default=ignore] pam_unix.so nullok try_first_pass # here's the fallback if no module succeeds Which appears to work fine for both local and directory users on my system. However, I note that on Red Hat, pam_localuser is used on to ensure that local users are handled by pam_unix, and non-local users are only handled by pam_sss. Is there any benefit to doing this, or is a config like what I pasted above OK as well? -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
