On Fri, 2013-04-05 at 09:16 -0400, Sutton, Harry (GSSE) wrote: > On 04/05/2013 05:22 AM, Jakub Hrozek wrote: > > Hi, > > > > are you using pam_krb5 along with SSSD authentication? Is there a reason > > not to use pam_sss.so ? > > > > In general I would not recommend configuring the PAM stack yourself but > > rather let authconfig do the job. This call would let authconfig > > generate /etc/nsswitch.conf /etc/pam.d/system-auth and > > /etc/pam.d/password-auth but would let you keep using the sssd.conf: > > > > authconfig --enablesssdauth --enablesssd --update > > _______________________________________________ > > sssd-users mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > I used the authconfig command on my Fedora laptop, but I'm not certain I > did so on the RHEL workstation. > > I have both lines in system-auth and password-auth: > > auth sufficient pam_sss.so use_first_pass > auth sufficient pam_krb5.so use_first_pass > ... > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > ... > password sufficient pam_sss.so use_authtok > password sufficient pam_krb5.so use_authtok > ... > session optional pam_sss.so > session optional pam_krb5.so > > On my workstation, I had only the pam_sss.so lines, and GDM logins were > not working; after adding the pam_krb5.so lines to match my laptop, GDM > logins worked for the first time.
Remove pam_krb5 lines and find out why pam_sss fails and solve that. By performing auth via a spearate module sssd will not be able to give you half the features you want, including offline access via cached credentials, renewal of credentials, and so on. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
