[Freeipa-users] Re: Problem with smartcard login when otp is enabled
Hi. On 9/15/20 11:54 AM, Sumit Bose via FreeIPA-users wrote: About adding a warning that krb5-pkinit is missing, that would be possible. But since there are valid use-cases where the pkinit module is missing, e.g. the server side does not support pkinit, I think this message would be only shown in the SSSD logs with a certain debug_level. Do you think this would help? It would definitely be better than current situation. If anyone runs into this problem in the future, even a debug message would help. Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Problem with smartcard login when otp is enabled
On Fri, Sep 11, 2020 at 07:30:53PM +0200, Radoslaw Kujawa via FreeIPA-users wrote: On 9/10/20 6:48 PM, Radoslaw Kujawa via FreeIPA-users wrote: I will coordinate with Jan to check if it is the same problem on his Ubuntu. Indeed, all of these problems boil down to a missing krb5-pkinit package. I was confused, because even though krb5-pkinit was missing, the Smart Card authentication _was_ working (when OTP was disabled). So it didn't occur to me that could be the cause. Hi, if OTP is not available and a Smartcard is available SSSD prefers the Smartcard or password authentication (everything is better than a password) and switches to local/offline Smartcard authentication. In this case you won't get a Kerbers TGT but you will be authenticated based on the inserted Smartcard and your knowledge of the PIN. This is the same scheme used if the system is offline. About adding a warning that krb5-pkinit is missing, that would be possible. But since there are valid use-cases where the pkinit module is missing, e.g. the server side does not support pkinit, I think this message would be only shown in the SSSD logs with a certain debug_level. Do you think this would help? bye, Sumit Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Problem with smartcard login when otp is enabled
On 9/10/20 6:48 PM, Radoslaw Kujawa via FreeIPA-users wrote: I will coordinate with Jan to check if it is the same problem on his Ubuntu. Indeed, all of these problems boil down to a missing krb5-pkinit package. I was confused, because even though krb5-pkinit was missing, the Smart Card authentication _was_ working (when OTP was disabled). So it didn't occur to me that could be the cause. Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Problem with smartcard login when otp is enabled
Hi. On 9/10/20 5:31 PM, Sumit Bose via FreeIPA-users wrote: just to be on the safe side, have you installed the krb5-pkinit package on Fedora 32? Sigh... the krb5-pkinit was somehow absent on Fedora 32. Thank you for help and sorry for the noise. Although, could SSSD somehow detect this situation? I mean, when Smart card credentials are present, but Kerberos PKINIT library is absent? An appropriate error message would save a lot of time spent on debugging this ;). I will coordinate with Jan to check if it is the same problem on his Ubuntu. Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Problem with smartcard login when otp is enabled
On Thu, Sep 10, 2020 at 02:04:52PM +0200, Radosław Kujawa via FreeIPA-users wrote: Hi. On 9/10/20 12:17 PM, Sumit Bose via FreeIPA-users wrote: So far SSSD implicitly assume that PKINIT comes first and hence did not enforce the order. I will add some code to make sure PKINIT is preferred over OTP and password if a Smartcard is present. Awesome, please let me know when the code is present in SSSD repo. I will build it and test. Hi, just to be on the safe side, have you installed the krb5-pkinit package on Fedora 32? bye, Sumit Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Problem with smartcard login when otp is enabled
Hi. On 9/10/20 12:17 PM, Sumit Bose via FreeIPA-users wrote: So far SSSD implicitly assume that PKINIT comes first and hence did not enforce the order. I will add some code to make sure PKINIT is preferred over OTP and password if a Smartcard is present. Awesome, please let me know when the code is present in SSSD repo. I will build it and test. Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Problem with smartcard login when otp is enabled
On Thu, Sep 10, 2020 at 11:13:51AM +0200, Radoslaw Kujawa via FreeIPA-users wrote: Can you send the version of the krb5-libs package you are using on CentOS-8 and F32 as well? F32: krb5-libs-1.18.2-20.fc32.x86_64 CentOS 8: krb5-libs-1.17-18.el8.x86_64 Btw. I have downgraded SSSD to 2.2.3 on F32, but the problem persist. In my original email I have switched around SSSD versions used on CentOS and Fedora. But now I have the same version on both, so I guess my theory about it being a problem with SSSD could have been wrong: Hi, the issue is on the SSSD side. I assume the order the pre-authentication methods are returned by libkrb5 has changed. So far SSSD implicitly assume that PKINIT comes first and hence did not enforce the order. I will add some code to make sure PKINIT is preferred over OTP and password if a Smartcard is present. bye, Sumit F32: sssd-2.2.3-13.fc32.x86_64 CentOS 8: sssd-2.2.3-20.el8.x86_64 Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Problem with smartcard login when otp is enabled
Can you send the version of the krb5-libs package you are using on CentOS-8 and F32 as well? F32: krb5-libs-1.18.2-20.fc32.x86_64 CentOS 8: krb5-libs-1.17-18.el8.x86_64 Btw. I have downgraded SSSD to 2.2.3 on F32, but the problem persist. In my original email I have switched around SSSD versions used on CentOS and Fedora. But now I have the same version on both, so I guess my theory about it being a problem with SSSD could have been wrong: F32: sssd-2.2.3-13.fc32.x86_64 CentOS 8: sssd-2.2.3-20.el8.x86_64 Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Problem with smartcard login when otp is enabled
On Wed, Sep 09, 2020 at 09:55:12PM +0200, Radek Kujawa via FreeIPA-users wrote: Hi. I am able to reproduce this problem on Fedora 32 (sssd-2.2.3-20), however I am not able to reproduce this on CentOS 8 (sssd-2.3.1-2). This suggests the problem was introduced somewhere between sssd 2.2.3 and 2.3.1. Config on both systems is the same - machines added to IPA domain, user account has both cert configured for PKINIT and OTP. Attempting to log in on CentOS 8 displays prompt for Smart Card PIN, attempting to log in on Fedora 32 displays prompt for OTP factors. I've tried to analyze the problem and it seems that sss_krb5_prompter always tries otp on Fedora, even though p11_child finishes successfully and returns the correct user certificate. Hi, thanks for the logs, it helps me to understand what is going on. Can you send the version of the krb5-libs package you are using on CentOS-8 and F32 as well? bye, Sumit On CentOS 8: (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [get_and_save_tgt] (0x4000): Found Smartcard credentials, trying pkinit. (...) (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143791: Upgrading to FAST due to presence of PA_FX_FAST in reply (...) (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143815: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-P K-AS-REQ_OLD (14), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-FX-COOKIE (133), PA-FX-ERROR (137) (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143816: Received cookie: MIT (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [sss_krb5_responder] (0x4000): Got question [pkinit]. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=/usr/lib64/pkcs11/opensc-pkcs11.so:slotid=0:token=rkujawa] flags [0]. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [answer_pkinit] (0x4000): Setting pkinit_prompting. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143817: Preauth module pkinit (147) (info) returned: 0/Success (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [sss_krb5_prompter] (0x4000): Prompt [0][rkujawa PIN]. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [sss_krb5_prompter] (0x0020): Cannot handle password prompts. On Fedora 32: (2020-09-09 21:18:16): [krb5_child[1823]] [get_and_save_tgt] (0x4000): Found Smartcard credentials, trying pkinit. (...) (2020-09-09 21:18:16): [krb5_child[1823]] [sss_child_krb5_trace_cb] (0x4000): [1823] 1599679096.050398: Upgrading to FAST due to presence of PA_FX_FAST in reply (...) (2020-09-09 21:18:16): [krb5_child[1823]] [sss_child_krb5_trace_cb] (0x4000): [1823] 1599679096.050422: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-FX-COOKIE (133), PA-FX-ERROR (137) (2020-09-09 21:18:16): [krb5_child[1823]] [sss_child_krb5_trace_cb] (0x4000): [1823] 1599679096.050423: Received cookie: MIT (2020-09-09 21:18:16): [krb5_child[1823]] [sss_krb5_responder] (0x4000): Got question [otp]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Vendor [(null)]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Token-ID [(null)]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Challenge [(null)]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Flags [1]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x2000): Exit answer_otp during pre-auth. (2020-09-09 21:18:16): [krb5_child[1823]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [11] during pre-auth. (2020-09-09 21:18:16): [krb5_child[1823]] [k5c_send_data] (0x0200): Received error code 0 (2020-09-09 21:18:16): [krb5_child[1823]] [pack_response_packet] (0x2000): response packet size: [15] (2020-09-09 21:18:16): [krb5_child[1823]] [k5c_send_data] (0x4000): Response sent. (2020-09-09 21:18:16): [krb5_child[1823]] [main] (0x0400): krb5_child completed successfully This results in PIN never being asked on Fedora. Unfortunately at this moment I am not able to deliver full logs. Hopefully Jan will send full logs from his setup ;). Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
[Freeipa-users] Re: Problem with smartcard login when otp is enabled
Hi. I am able to reproduce this problem on Fedora 32 (sssd-2.2.3-20), however I am not able to reproduce this on CentOS 8 (sssd-2.3.1-2). This suggests the problem was introduced somewhere between sssd 2.2.3 and 2.3.1. Config on both systems is the same - machines added to IPA domain, user account has both cert configured for PKINIT and OTP. Attempting to log in on CentOS 8 displays prompt for Smart Card PIN, attempting to log in on Fedora 32 displays prompt for OTP factors. I've tried to analyze the problem and it seems that sss_krb5_prompter always tries otp on Fedora, even though p11_child finishes successfully and returns the correct user certificate. On CentOS 8: (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [get_and_save_tgt] (0x4000): Found Smartcard credentials, trying pkinit. (...) (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143791: Upgrading to FAST due to presence of PA_FX_FAST in reply (...) (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143815: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-P K-AS-REQ_OLD (14), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-FX-COOKIE (133), PA-FX-ERROR (137) (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143816: Received cookie: MIT (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [sss_krb5_responder] (0x4000): Got question [pkinit]. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=/usr/lib64/pkcs11/opensc-pkcs11.so:slotid=0:token=rkujawa] flags [0]. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [answer_pkinit] (0x4000): Setting pkinit_prompting. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143817: Preauth module pkinit (147) (info) returned: 0/Success (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [sss_krb5_prompter] (0x4000): Prompt [0][rkujawa PIN]. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185 [sss_krb5_prompter] (0x0020): Cannot handle password prompts. On Fedora 32: (2020-09-09 21:18:16): [krb5_child[1823]] [get_and_save_tgt] (0x4000): Found Smartcard credentials, trying pkinit. (...) (2020-09-09 21:18:16): [krb5_child[1823]] [sss_child_krb5_trace_cb] (0x4000): [1823] 1599679096.050398: Upgrading to FAST due to presence of PA_FX_FAST in reply (...) (2020-09-09 21:18:16): [krb5_child[1823]] [sss_child_krb5_trace_cb] (0x4000): [1823] 1599679096.050422: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-FX-COOKIE (133), PA-FX-ERROR (137) (2020-09-09 21:18:16): [krb5_child[1823]] [sss_child_krb5_trace_cb] (0x4000): [1823] 1599679096.050423: Received cookie: MIT (2020-09-09 21:18:16): [krb5_child[1823]] [sss_krb5_responder] (0x4000): Got question [otp]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Vendor [(null)]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Token-ID [(null)]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Challenge [(null)]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Flags [1]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x2000): Exit answer_otp during pre-auth. (2020-09-09 21:18:16): [krb5_child[1823]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [11] during pre-auth. (2020-09-09 21:18:16): [krb5_child[1823]] [k5c_send_data] (0x0200): Received error code 0 (2020-09-09 21:18:16): [krb5_child[1823]] [pack_response_packet] (0x2000): response packet size: [15] (2020-09-09 21:18:16): [krb5_child[1823]] [k5c_send_data] (0x4000): Response sent. (2020-09-09 21:18:16): [krb5_child[1823]] [main] (0x0400): krb5_child completed successfully This results in PIN never being asked on Fedora. Unfortunately at this moment I am not able to deliver full logs. Hopefully Jan will send full logs from his setup ;). Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Problem with smartcard login when otp is enabled
On Wed, Sep 09, 2020 at 01:56:23PM +, Jan Ufnalski via FreeIPA-users wrote: Configuration: OS:Kubuntu 20.04 LTS, Yubikey 5 with PIV, sssd version: 2.2.3-3, testing in terminal session without graphic interface to exclude problems from graphic interface In case when OTP is disabled and yubikey inserted, in login process I get correct prompt for smartcard pin. But when OTP is configured in IPA and yubikey inserted, instead getting prompt for smart card pin I get prompt for first factor and second factor. In /etc/sssd/sssd.conf [pam] section I have enabled pam_cert_auth. I attatch 2 logs from sssd, one with enabled and one with disabled otp. When I configured second computer the same way few weeks ago, everything works okey, but now I have to disable otp to make smartcard work correctly Hi, please add 'debug_level = 9' to the [domain/...] section of sssd.conf, restart SSSD and run the tests again. The please send the domain log and krb5_child.log. bye, Sumit # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth[default=1 success=ok] pam_localuser.so auth [success=2 default=ignore] pam_unix.so nullok_secure #auth [success=1 default=ignore] pam_sss.so use_first_pass authsufficient pam_sss.so forward_pass prompt_always # here's the fallback if no module succeeds authrequisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around authrequiredpam_permit.so # and here are more per-package modules (the "Additional" block) authoptionalpam_cap.so # end of pam-auth-update config Jan Ufnalski ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
