On Thu, Nov 29, 2012 at 10:26:00AM -0500, Rob Crittenden wrote: > 小龙 陈 wrote: > >Hi, > > > >I've been working on porting the FreeIPA client to Arch Linux lately and > >I'm now to the last step of the puzzle. Everything works the way it > >should, except for PAM, which I don't know how to setup. > > > >I must admit that I'm very confused my the PAM configuration (which PAM > >module does what, the order of the modules, etc). What I'm trying to > >find out is where the pam_sss.so lines should go. Here's a copy of the > >/etc/pam.d/ directory in Arch Linux: http://ompldr.org/vZ2hxcw/pam.d.tar.bz2 > > > >I'd greatly appreciate it if someone could help me out :) Thanks! > > > > I gather that this is due to a lack of authconfig. > > Timo Aaltonen has been working on ipa-client (and server!) for > Ubuntu and he ran into similar problems but I'm not sure what > solution he came up with. > > I'll find someone with more PAM experience to try to give you more > practical help. > > rob
Hi, the PAM config files on Arch Linux are a little bit different than what Fedora/RHEL uses. It seems that the per-service config files (such as /etc/pam.d/su for logging in with su) directly include the PAM modules, in your case pam_unix.so only. On Fedora/RHEL, the per-service files usually include a more generic file called something like system-auth. Either way works, but if you'd like to configure more services in a similar way, then including a common file might save you some edits. This document is a little outdated but provides a nice intro into configuring PAM: http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html In general you there are fours stacks in PAM, each of them controls one step in the auth process. I think you'll want to use both pam_unix and pam_sss in all the stacks -- pam_sss is needed for users coming in from the SSSD to log in and you'll also want to keep pam_unix around so that local users (at least root) can log in too. Here is what my PAM config on Fedora 18 looks like: -------------------------------------------------------------------- auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password optional pam_pwquality.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so -------------------------------------------------------------------- If Arch Linux ships the same modules as Fedora, the you should be able to simply copy and use the PAM config we use.. I've put Honza to CC, I know he runs Arch Linux as well and might have some insights into how PAM is configured on Arch. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users