On Fri, Feb 01, 2019 at 02:20:21PM -0700, Orion Poplawski wrote:
> I'm not having any luck using smart card auth on an IPA joined Ubuntu 18.04
> system. It appears that pam is not properly configured, and in particular I
> don't see "allow_missing_name" in use:
>
> /etc/pam.d/common-auth:
> auth [success=2 default=ignore] pam_unix.so nullok_secure
> auth [success=1 default=ignore] pam_sss.so use_first_pass
> auth requisite pam_deny.so
> auth required pam_permit.so
> auth optional pam_cap.so
>
> although if I add allow_missing_name to that line, it doesn't seem to help. I
> don't see any SSS_PAM_PREAUTH activity in the sssd_pam.log.
>
> Any pointers?
I'm not the biggest expert in this area of sssd, but looking at the
code, the preauth is sent if:
- there is no password on the stack
- the file /var/lib/sss/pubconf/pam_preauth_available exists
I guess the file would be easy to check, it should be created
unconditionally with the IPA provider.
About the PAM stack, the way I read it, the password would always be
read by the pam_unix.so module and the use_first_pass flag would always
use that password.
On Fedora, the PAM stack is laid out a bit differently, pam_unix only
reads the passwords if the user is a local one:
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
try_first_pass
auth requisite pam_succeed_if.so uid
>= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
I guess the easiest way to test if the PAM stack is the culprit would be
to create a new PAM service:
$ cat /etc/pam.d/sss_test
auth required pam_sss.so
and then call:
# sssctl user-checks -a auth -s sss_test $username
HTH
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
