There does not seem to be much documentation how to make authentication work without any extras. All I need is a simple non-anonymous bind using provided credentials without any searches. My understanding is that I don't need NSS for this only PAM with auth_provider set to ldap. However, without id_provider set in sssd.conf SSSD does not start at all. This has been reported as a bug and supposedly have been fixed before SSSD 1.16.0 version that I'm using. I have tried to set id_provider to none but I'm getting some indications in logs that id provider is needed. Is it possible to do simple non-anonymous bind without anything extra, not even chpass?
Here's domain log: [sssd[be[fqdn_domainname]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=username@fqdn_domainname] [sssd[be[fqdn_domainname]]] [sss_domain_get_state] (0x1000): Domain fqdn_domainname is Active [sssd[be[fqdn_domainname]]] [dp_attach_req] (0x0400): DP Request [Initgroups #1]: New request. Flags [0x0001]. [sssd[be[fqdn_domainname]]] [dp_attach_req] (0x0400): Number of active DP request: 1 [sssd[be[fqdn_domainname]]] [sss_domain_get_state] (0x1000): fqdn_domainname is Active [sssd[be[fqdn_domainname]]] [dp_find_method] (0x0100): Target [id] is not initialized [sssd[be[fqdn_domainname]]] [_dp_req_recv] (0x0400): DP Request [Initgroups #1]: Receiving request data. [sssd[be[fqdn_domainname]]] [dp_req_reply_gen_error] (0x0080): DP Request [Initgroups #1]: Finished. Target is not supported with this configuration. [sssd[be[fqdn_domainname]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::fqdn_domainname:name=username@fqdn_domainname] from reply table Why initgroups would be called for authentication? Can I or should I disable it and how? Why target [id] is not initialized? I have disabled id provider (see below). Here's relevant PAM log: [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE [pam_print_data] (0x0100): domain: not set [sssd[pam]] [pam_print_data] (0x0100): user: username [sssd[pam]] [pam_print_data] (0x0100): service: pgpool [pam_print_data] (0x0100): logon name: username [pam_initgr_check_timeout] (0x4000): User [username] not found in PAM cache [cache_req_set_plugin] (0x2000): CR #1: Setting "Initgroups by name" plugin [cache_req_send] (0x0400): CR #1: New request 'Initgroups by name' [cache_req_process_input] (0x0400): CR #1: Parsing input name [username] [sss_parse_name_for_domains] (0x0200): name 'username' matched without domain, user is username [cache_req_set_name] (0x0400): CR #1: Setting name [username] [cache_req_select_domains] (0x0400): CR #1: Performing a multi-domain search [cache_req_search_domains] (0x0400): CR #1: Search will bypass the cache and check the data provider [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain fqdn_domainname type POSIX is valid [cache_req_set_domain] (0x0400): CR #1: Using domain [fqdn_domainname] [cache_req_prepare_domain_data] (0x0400): CR #1: Preparing input data for domain [fqdn_domainname] rules [cache_req_search_send] (0x0400): CR #1: Looking up username@fqdn_domainname [cache_req_search_ncache] (0x0400): CR #1: [username@fqdn_domainname] is not present in negative cache [cache_req_search_dp] (0x0400): CR #1: Looking up [fqdn_domainname] in data provider [sss_dp_issue_request] (0x0400): Issuing request for [0x55a33da304c0:3:username@fqdn_domainname@fqdn_domainname] [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [fqdn_domainname][0x3][BE_REQ_INITGROUPS][name=username@fqdn_domainname:-] [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x55a33da304c0:3:username@fqdn_domainname@fqdn_domainname] [sss_dp_get_reply] (0x0100): Data Provider does not support this operation. [cache_req_common_dp_recv] (0x0040): CR #1: Data Provider Error: 3, 5, Failed to get reply from Data Provider [cache_req_common_dp_recv] (0x0400): CR #1: Due to an error we will return cached data [pam_reply] (0x0200): pam_reply called with result [10]: User not known to the underlying authentication module. Why Data Provider does not support this operation? Verification that only auth provider is enabled: [sssd[be[fqdn_domainname]]] [dp_load_configuration] (0x0100): Using [none] provider for [id] [sssd[be[fqdn_domainname]]] [dp_load_configuration] (0x0100): Using [ldap] provider for [auth] [sssd[be[fqdn_domainname]]] [dp_load_configuration] (0x0100): Using [none] provider for [access] [sssd[be[fqdn_domainname]]] [dp_load_configuration] (0x0100): Using [none] provider for [chpass] [sssd[be[fqdn_domainname]]] [dp_load_configuration] (0x0100): Using [none] provider for [sudo] [sssd[be[fqdn_domainname]]] [dp_load_configuration] (0x0100): Using [none] provider for [autofs] [sssd[be[fqdn_domainname]]] [dp_load_configuration] (0x0100): Using [none] provider for [selinux] [sssd[be[fqdn_domainname]]] [dp_load_configuration] (0x0100): Using [none] provider for [hostid] [sssd[be[fqdn_domainname]]] [dp_load_configuration] (0x0100): Using [none] provider for [subdomains] [sssd[be[fqdn_domainname]]] [dp_load_configuration] (0x0100): Using [none] provider for [session] Andre Piwoni _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/XXNKWUZFYU2OKQLLXVYBMHMRXR5YJMCP/
