On Thu, Nov 29, 2012 at 10:26:00AM -0500, Rob Crittenden wrote:
> 小龙 陈 wrote:
> >Hi,
> >
> >I've been working on porting the FreeIPA client to Arch Linux lately and
> >I'm now to the last step of the puzzle. Everything works the way it
> >should, except for PAM, which I don't know how to setup.
> >
> >I must admit that I'm very confused my the PAM configuration (which PAM
> >module does what, the order of the modules, etc). What I'm trying to
> >find out is where the pam_sss.so lines should go. Here's a copy of the
> >/etc/pam.d/ directory in Arch Linux: http://ompldr.org/vZ2hxcw/pam.d.tar.bz2
> >
> >I'd greatly appreciate it if someone could help me out :) Thanks!
> >
> I gather that this is due to a lack of authconfig.
> Timo Aaltonen has been working on ipa-client (and server!) for
> Ubuntu and he ran into similar problems but I'm not sure what
> solution he came up with.
> I'll find someone with more PAM experience to try to give you more
> practical help.
> rob


the PAM config files on Arch Linux are a little bit different than what
Fedora/RHEL uses. It seems that the per-service config files (such as
/etc/pam.d/su for logging in with su) directly include the PAM modules,
in your case pam_unix.so only. On Fedora/RHEL, the per-service files
usually include a more generic file called something like system-auth.

Either way works, but if you'd like to configure more services in a
similar way, then including a common file might save you some edits.

This document is a little outdated but provides a nice intro into
configuring PAM:

In general you there are fours stacks in PAM, each of them controls one
step in the auth process.

I think you'll want to use both pam_unix and pam_sss in all the
stacks -- pam_sss is needed for users coming in from the SSSD to log in
and you'll also want to keep pam_unix around so that local users (at
least root) can log in too.

Here is what my PAM config on Fedora 18 looks like:
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    optional      pam_pwquality.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass 
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

If Arch Linux ships the same modules as Fedora, the you should be able to
simply copy and use the PAM config we use.. I've put Honza to CC, I know
he runs Arch Linux as well and might have some insights into how PAM is
configured on Arch.

Freeipa-users mailing list

Reply via email to