[SSSD-users] Re: sssd with OTP does not work in all cases.

2017-11-02 Thread Asif Iqbal
On Thu, Nov 2, 2017 at 9:14 PM, Mario Rossi wrote: > There are a couple of things to check, older versions of sssd package sudo > in a separate rpm and not all versions of sudo integrate with sssd, upgrade > to the latest sudo package that your distro supports, just in case.

[SSSD-users] Re: sssd with OTP does not work in all cases.

2017-11-02 Thread Mario Rossi
There are a couple of things to check, older versions of sssd package sudo in a separate rpm and not all versions of sudo integrate with sssd, upgrade to the latest sudo package that your distro supports, just in case. If sssd.conf has the proper refereces to sudo e.g. services = nss, pam,

[SSSD-users] Re: sssd with OTP does not work in all cases.

2017-11-02 Thread Asif Iqbal
On Fri, Oct 27, 2017 at 10:53 AM, Mario Rossi wrote: > What OS are you using ? I am using Centos 6 with RSA ( fixed password + > PIN ) + sssd/ldap auth , so yes, that does give you BOTH prompts, one for > RSA and one for LDAP. If you need to ONLY use RSA w account lookup

[SSSD-users] Re: sssd with OTP does not work in all cases.

2017-10-27 Thread Asif Iqbal
I am using centos 7. What are you using your auth_provider ? Here is my config today. Once it is working I will make sure puppet keeps it in line and if gets overwritten by authconfig. But I need to first make sure if is working, which is not the case today. $ cat /etc/sssd/sssd.conf ...

[SSSD-users] Re: sssd with OTP does not work in all cases.

2017-10-27 Thread Mario Rossi
What OS are you using ? I am using Centos 6 with RSA ( fixed password + PIN ) + sssd/ldap auth , so yes, that does give you BOTH prompts, one for RSA and one for LDAP. If you need to ONLY use RSA w account lookup from sssd/ldap, then you have to comment out the auth line related to

[SSSD-users] Re: sssd with OTP does not work in all cases.

2017-10-27 Thread Asif Iqbal
This setup also failed miserably where pam.d/sshd first two lines like below auth required pam_securid.so auth include system-auth-ac_new And using your pam.d/system-auth-ac_new So it does give you the right prompt 'Enter SMS Token:' when just put PIN at first login prompt.

[SSSD-users] Re: sssd with OTP does not work in all cases.

2017-10-26 Thread Mario Rossi
My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse your users, the easiest would be to configure sd_pam.conf to use a different prompt for RSA. $ egrep ^AUTH /etc/sd_pam.conf AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME : AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System