On Thu, Mar 02, 2017 at 09:50:41PM +0530, deepak dimri wrote: > Hi Jakub, Actually that is what i am doing. i am creating the user with > same UID in IPA and then if i delete the user locally then i can > authenticate via IPA. Is there anyway i can do this without deleting the > user? This is just to use the same GID and avoid recreation of > home/directories.
I think you'd need to modify the PAM stack to keep going even if authentication against pam_unix fails. I /think/ (but haven't tested ) that modifying the lines that deal with pam_unix/pam_sss like this: auth [default=2 success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth [success=done ignore=ignore default=die] pam_sss.so use_first_pass could work. The other lines in the PAM auth stack and all the other stacks should be left intact. (Please keep a root shell around if you're going to tinker with PAM settings and preferably try this out on a test box first.) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project