On Tue, 2011-06-14 at 09:29 -0400, Stephen Gallagher wrote: > On Tue, 2011-06-14 at 09:15 -0400, Norman Elton wrote: > > Stephen / Sumit, > > > > Thanks for your responses... > > > > > This sounds like pam_krb5 is still called somewhere in your pam stack > > > and doing authentication instead of sssd. > > > > It does seem that way, but grep'ing through /etc/pam.d/* reveals no > > instances of krb. I rebooted the box just to make sure nothing was > > hanging around from before. > > > > > Could you send the (sanitized) sssd_default.log of the login? > > > > Attached. I'll also attach my sssd.conf, sshd_config, and > > /etc/pam.d/system-auth (which is identical to password-auth). > > > > In my sshd_config, I've still got GSSAPIAuthentication enabled. Is > > this somehow bypassing sssd? I tried disabling it and leaving UsePAM > > enabled, and couldn't login with my kerb ticket. > > > Yes, sshd does not call pam_authenticate() (and therefore does not > contact SSSD) when using GSSAPIAuthentication (because the user is > already authenticated by their TGT). As you can see from your logs, it > only called pam_account() for access-control requests. > > This is expected behavior. SSSD cannot manage automatic ticket renewal > on systems logged into by GSSAPI (because we're not involved in the > authentication step)
We could still do something about it by reading the env variable and sending it to sssd when the pam_account step is done. Norman if you think this is a feature you need you can open a RFE request on sssd track and we will see if it can be implemented in one of the future versions of sssd. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
