Thank you both -- cannot believe I failed to see that option :-(. But at least you have cleared up the meaning as it was (IMO) slightly ambiguously phrased.
Phil -- Phil J Fisher UNIX Technology Consultant -----Original Message----- From: James Ralston <[email protected]> Sent: 07 July 2022 17:48 To: End-user discussions about the System Security Services Daemon <[email protected]> Subject: [SSSD-users] Re: Can SSSD be set up to disallow login if provider not available? On Thu, Jul 7, 2022 at 6:21 AM Alexey Tikhonov <[email protected]> wrote: > On Thu, Jul 7, 2022 at 12:14 PM Fisher, Philip <[email protected]> wrote: > > > In particular, if the provider is offline/not available (in this > > case an AD server/servers) then login should fail. > > Sounds like `cache_credentials = false`? (see `man sssd.conf`) Moreover, `cache_credentials = false` is the default, so unless this is overridden, attempts to login will fail if the AD KDCs are not available. We can confirm that this is the case: we don’t override cache_credentials, and if something breaks network connectivity for a host, we can only login on the console with an account with a local password (e.g. root); attempting to login with an account that requires AD/Kerberos authentication fails. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://clicktime.symantec.com/15tStaBhiiVCz9My4UY59?h=r3BovLSJswnnSQUawdVjKsn5oDlqSuKzAAN4Rsfe9W8=&u=https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://clicktime.symantec.com/15tSyQNzBLAoQ6Btc2wDm?h=IvpQ1w1Ios0MOtSIvQkuMWpIiKk4PpIkQ7JGbzEpr4E=&u=https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://clicktime.symantec.com/15tT4EaGdwrPp31p9bLNP?h=xlEJW-wKLhTMqs3PF3R0djxFZRirxGDW8Xw8hAwpBN0=&u=https://lists.fedorahosted.org/archives/list/sssd-users%40lists.fedorahosted.org Do not reply to spam on the list, report it: https://clicktime.symantec.com/15tT94mZ6ZXzDyqjh9jX1?h=29AasCzmx5bNbB9jMd4v838NtXsyChnrTTxWDY5TLa4=&u=https://pagure.io/fedora-infrastructure DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates. It is intended exclusively for the addressee. The substance of this message, along with any attachments, may contain proprietary, confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
