On Thu, Nov 2, 2017 at 9:14 PM, Mario Rossi wrote:
> There are a couple of things to check, older versions of sssd package sudo
> in a separate rpm and not all versions of sudo integrate with sssd, upgrade
> to the latest sudo package that your distro supports, just in case.
There are a couple of things to check, older versions of sssd package
sudo in a separate rpm and not all versions of sudo integrate with sssd,
upgrade to the latest sudo package that your distro supports, just in case.
If sssd.conf has the proper refereces to sudo e.g.
services = nss, pam,
On Fri, Oct 27, 2017 at 10:53 AM, Mario Rossi wrote:
> What OS are you using ? I am using Centos 6 with RSA ( fixed password +
> PIN ) + sssd/ldap auth , so yes, that does give you BOTH prompts, one for
> RSA and one for LDAP. If you need to ONLY use RSA w account lookup
I am using centos 7.
What are you using your auth_provider ?
Here is my config today. Once it is working I will make sure puppet keeps
it in line and if gets overwritten by authconfig. But I need to first make
sure if is working, which is not the case today.
$ cat /etc/sssd/sssd.conf
...
What OS are you using ? I am using Centos 6 with RSA ( fixed password +
PIN ) + sssd/ldap auth , so yes, that does give you BOTH prompts, one
for RSA and one for LDAP. If you need to ONLY use RSA w account lookup
from sssd/ldap, then you have to comment out the auth line related to
This setup also failed miserably where pam.d/sshd first two lines like below
auth required pam_securid.so
auth include system-auth-ac_new
And using your pam.d/system-auth-ac_new
So it does give you the right prompt 'Enter SMS Token:' when just put PIN
at first login prompt.
My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse your
users, the easiest would be to configure sd_pam.conf to use a different
prompt for RSA.
$ egrep ^AUTH /etc/sd_pam.conf
AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME :
AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System