On Thu, Mar 02, 2017 at 09:50:41PM +0530, deepak dimri wrote:
> Hi Jakub, Actually that is what i am doing. i am creating the user with
> same UID in IPA and then if i delete the user locally then i can
> authenticate via IPA. Is there anyway i can do this without deleting the
> user? This is just to use the same GID and avoid recreation of
> home/directories.

I think you'd need to modify the PAM stack to keep going even if
authentication against pam_unix fails. I /think/ (but haven't tested )
that modifying the lines that deal with pam_unix/pam_sss like this:

    auth     [default=2 success=ok] pam_localuser.so
    auth     sufficient pam_unix.so nullok try_first_pass
    auth     [success=done ignore=ignore default=die] pam_sss.so use_first_pass

could work. The other lines in the PAM auth stack and all the other
stacks should be left intact.

(Please keep a root shell around if you're going to tinker with PAM
settings and preferably try this out on a test box first.)

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to