On Tue, 2011-06-14 at 09:15 -0400, Norman Elton wrote: > Stephen / Sumit, > > Thanks for your responses... > > > This sounds like pam_krb5 is still called somewhere in your pam stack > > and doing authentication instead of sssd. > > It does seem that way, but grep'ing through /etc/pam.d/* reveals no > instances of krb. I rebooted the box just to make sure nothing was > hanging around from before. > > > Could you send the (sanitized) sssd_default.log of the login? > > Attached. I'll also attach my sssd.conf, sshd_config, and > /etc/pam.d/system-auth (which is identical to password-auth). > > In my sshd_config, I've still got GSSAPIAuthentication enabled. Is > this somehow bypassing sssd? I tried disabling it and leaving UsePAM > enabled, and couldn't login with my kerb ticket.
Yes, sshd does not call pam_authenticate() (and therefore does not contact SSSD) when using GSSAPIAuthentication (because the user is already authenticated by their TGT). As you can see from your logs, it only called pam_account() for access-control requests. This is expected behavior. SSSD cannot manage automatic ticket renewal on systems logged into by GSSAPI (because we're not involved in the authentication step)
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
