> Date: Thu, 29 Nov 2012 16:56:08 +0100
> From: jhro...@redhat.com
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] FreeIPA manual PAM setup help
> On Thu, Nov 29, 2012 at 10:26:00AM -0500, Rob Crittenden wrote:
> > 小龙 陈 wrote:
> > >Hi,
> > >
> > >I've been working on porting the FreeIPA client to Arch Linux lately and
> > >I'm now to the last step of the puzzle. Everything works the way it
> > >should, except for PAM, which I don't know how to setup.
> > >
> > >I must admit that I'm very confused my the PAM configuration (which PAM
> > >module does what, the order of the modules, etc). What I'm trying to
> > >find out is where the pam_sss.so lines should go. Here's a copy of the
> > >/etc/pam.d/ directory in Arch Linux: 
> > >http://ompldr.org/vZ2hxcw/pam.d.tar.bz2
> > >
> > >I'd greatly appreciate it if someone could help me out :) Thanks!
> > >
> > 
> > I gather that this is due to a lack of authconfig.
> > 
> > Timo Aaltonen has been working on ipa-client (and server!) for
> > Ubuntu and he ran into similar problems but I'm not sure what
> > solution he came up with.
> > 
> > I'll find someone with more PAM experience to try to give you more
> > practical help.
> > 
> > rob
> Hi,
> the PAM config files on Arch Linux are a little bit different than what
> Fedora/RHEL uses. It seems that the per-service config files (such as
> /etc/pam.d/su for logging in with su) directly include the PAM modules,
> in your case pam_unix.so only. On Fedora/RHEL, the per-service files
> usually include a more generic file called something like system-auth.
> Either way works, but if you'd like to configure more services in a
> similar way, then including a common file might save you some edits.
> This document is a little outdated but provides a nice intro into
> configuring PAM:
> http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html
> In general you there are fours stacks in PAM, each of them controls one
> step in the auth process.
> I think you'll want to use both pam_unix and pam_sss in all the
> stacks -- pam_sss is needed for users coming in from the SSSD to log in
> and you'll also want to keep pam_unix around so that local users (at
> least root) can log in too.
> Here is what my PAM config on Fedora 18 looks like:
> --------------------------------------------------------------------
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
> auth        sufficient    pam_sss.so use_first_pass
> auth        required      pam_deny.so
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 1000 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     required      pam_permit.so
> password    optional      pam_pwquality.so try_first_pass retry=3 type=
> password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass 
> use_authtok
> password    sufficient    pam_sss.so use_authtok
> password    required      pam_deny.so
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     optional      pam_oddjob_mkhomedir.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_sss.so
> --------------------------------------------------------------------
> If Arch Linux ships the same modules as Fedora, the you should be able to
> simply copy and use the PAM config we use.. I've put Honza to CC, I know
> he runs Arch Linux as well and might have some insights into how PAM is
> configured on Arch.
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


Thanks a lot for your reply! I'll be sure to read up on the link.

The per-service config files are a bit annoying in Arch. I'm not sure if it's
possible, but maybe I can create a /etc/pam.d/sssd that can be included in
the other files? I'm guessing that the order of the PAM modules matters, so
I'm not sure that that would work.

I'll try adding pam_sss to each file, based on Fedora's system-auth, and see
how that goes.

Best Regards,
Xiao-Long Chen
Freeipa-users mailing list

Reply via email to