[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

[pbrezina]

  URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication

pbrezina commented:
"""
Thank you. Here's a diff:

```diff
diff --git a/src/man/pam_sss_gss.8.xml b/src/man/pam_sss_gss.8.xml
index d4bb705e3..ce5b11bff 100644
--- a/src/man/pam_sss_gss.8.xml
+++ b/src/man/pam_sss_gss.8.xml
@@ -46,6 +46,7 @@
             already present in the Kerberos credentials cache or if user's
             ticket granting ticket can be used to get the correct service 
ticket
             then the user will be authenticated.
+        </para>
         <para>
             If <option>pam_gssapi_check_upn</option> is True (default) then 
SSSD
             requires that the credentials used to obtain the service tickets 
can
@@ -183,9 +184,18 @@ auth sufficient pam_sss_gss.so
             <option>[domain_realm]</option> in /etc/krb5.conf like so:
         </para>
         <para>
-            2. Authentication does not work and syslog contains "Can't find
-            client principal $NAME in cache collection": Try to kinit with the
-            required principal name.
+            3. Authentication does not work and syslog contains "No Kerberos
+            credentials available": You don't have any credentials that can be
+            used to obtain the required service ticket. Use kinit or 
autheticate
+            over SSSD to acquire those credentials.
+        </para>
+        <para>
+            4. Authentication does not work and SSSD sssd-pam log contains 
"User
+            with UPN [$UPN] was not found." or "UPN [$UPN] does not match 
target
+            user [$username].": You are using credentials that can not be 
mapped
+            to the user that is being authenticated. Try to use kswitch to
+            select different principal, make sure you authenticated with SSSD 
or
+            consider disabling <option>pam_gssapi_check_upn</option>.
         </para>
         <programlisting>
 [domain_realm]
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 69cd4c3a1..d637e2eaa 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1712,8 +1712,11 @@ p11_uri = 
library-description=OpenSC%20smartcard%20framework;slot-id=2
                         <para>
                             Comma separated list of PAM services that are
                             allowed to try GSSAPI authentication using
-                            pam_sss_gss.so module. This option can be also set
-                            in domain section.
+                            pam_sss_gss.so module.
+                        </para>
+                        <para>
+                            To disable GSSAPI authentication, set this option
+                            to <quote>-</quote> (dash).
                         </para>
                         <para>
                             Note: This option can also be set per-domain which

```
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5367#issuecomment-743188615

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org