On Fri, Apr 05, 2013 at 09:16:43AM -0400, Sutton, Harry (GSSE) wrote: > On 04/05/2013 05:22 AM, Jakub Hrozek wrote: > >Hi, > > > >are you using pam_krb5 along with SSSD authentication? Is there a reason > >not to use pam_sss.so ? > > > >In general I would not recommend configuring the PAM stack yourself but > >rather let authconfig do the job. This call would let authconfig > >generate /etc/nsswitch.conf /etc/pam.d/system-auth and > >/etc/pam.d/password-auth but would let you keep using the sssd.conf: > > > >authconfig --enablesssdauth --enablesssd --update > >_______________________________________________ > >sssd-users mailing list > >[email protected] > >https://lists.fedorahosted.org/mailman/listinfo/sssd-users > I used the authconfig command on my Fedora laptop, but I'm not > certain I did so on the RHEL workstation. > > I have both lines in system-auth and password-auth: > > auth sufficient pam_sss.so use_first_pass > auth sufficient pam_krb5.so use_first_pass > ... > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > ... > password sufficient pam_sss.so use_authtok > password sufficient pam_krb5.so use_authtok > ... > session optional pam_sss.so > session optional pam_krb5.so > > On my workstation, I had only the pam_sss.so lines, and GDM logins > were not working; after adding the pam_krb5.so lines to match my > laptop, GDM logins worked for the first time.
As Simo said on the list, we should really find out why is authentication via pam_sss not working, not use pam_krb5 -- that could produce unpredictable results. The usual procedure is: 1) check the message from pam_sss in /var/log/secure 2) raise debugging in the [pam] and [domain] sections and check out the logs in /var/log/sssd/sssd_pam.log and /var/log/sssd/sssd_$domain.log _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
