> Subject: Re: [Freeipa-users] FreeIPA manual PAM setup help > From: s...@redhat.com > To: chillermillerl...@hotmail.com > CC: jhro...@redhat.com; freeipa-users@redhat.com > Date: Thu, 29 Nov 2012 21:08:02 -0500 > > On Thu, 2012-11-29 at 20:55 -0500, 小龙 陈 wrote: > > > > And PAM is working! > > Excellent! > > > I've just finished a helper for setting up NSS and PAM for sssd. It > > basically does the following: > > > > 1. Looks for 'passwd', 'shadow', 'group', 'services', 'netgroup', and > > 'automount' > > in /etc/nsswitch.conf and adds 'sss' to it. > > SSSD does not provide a shadow map so you shouldn't ad sss to shadow. It > will do no harm though, it will just be a noop.
I see. I'll remove that part that. I just saw that Fedora's authconfig adds it by default. > > > 2. Looks for pam_unix.so in every file in /etc/pam.d/, changes > > 'required' > > to 'sufficient', and adds an 'include' line for 'sss' right below > > itq. /etc/pam.d/sss > > contains the pam_sss.so lines. > > > > So far, I've tested sudo and su, and both are working :) > > > > Here's a link to the script: > > https://github.com/chenxiaolong/ArchLinux-Packages/blob/master/freeipa/sss-auth-setup.py > > > > If someone is bored, I'd appreciate it if he/she would take a look at > > it > > for glaring issues. > > Cool stuff, I do not know Arch Linux default PAm stack configuration so > I can;t tell with certainty that the replace you make is perfect, but I > do not see anything stunningly bad. Thanks for taking a look at the script! I'm having some ssh issues now, unfortunately. Password authentication works find, but GSSAPI doesn't. The client always fails "Connection closed by UNKNOWN" Client: http://paste.kde.org/617216/ Server: http://paste.kde.org/617222/ Interestingly enough, the server logs nothing (with GSSAPI) unless I set it to log debug messages. Anyways, I'll have to look at this tomorrow. I'm not going to finish my homework :) Xiao-Long Chen
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users