Hi, On Fri, May 17, 2024 at 9:33 AM Techie <techcha...@gmail.com> wrote:
> Hello again, my offline authentication works, however, if I reboot while > offline it no longer works and the cached password is removed from the > cache db. I mean that ldbsearch no longer reveals a cached password for my > user. > Try to `touch /etc/passwd` without reboot - I guess it will have the same effect. I can't find ticket right now, but there was a bug reported that 'files provider' loses cached password hash while rebuilding cache (and it rebuilds entire cache at every startup and every /etc/passwd&group file event) This bug won't be fixed. Files provider is deprecated and planned for eventual removal. 'proxy provider' with 'lib = files' is a substitute for your use case. https://sssd.io/docs/files-provider-deprecation.html doesn't describe your case directly, but hopefully still can help. If you could try this and then contribute a new section to this doc - it would be great. > > I use the passwd file as the ID provider and krb5 as the auth provider. > > [pam] > > offline_credential_expiration = 0 > > [domain/EXAMPLE.COM] > cache_credentials=true > id_provider=files > auth_provider=krb5 > krb5_server=srva.example.com > #krb5_kpasswd=srva.example.com > krb5_realm=EXAMPLE.COM <http://example.com/> > dns_discovery_domain=EXAMPLE.COM <http://example.com/> > > Not sure why the cached entry for my user is removed from > /var/lib/sss/db/cache_EXAMPLE.COM.ldb > > I've been fighting with this for a while so any help would be appreciated. > > Thank you > > > On Sun, Sep 17, 2023, 12:01 PM Techie <techcha...@gmail.com> wrote: > >> Hi >> >> Trying to use cached creds with local users in the passwd file >> authenticating via kerberos. >> I have id_provider set to files and auth_provider set to krb5(AD DC). >> Online authentication works fine however when I disconnect the network >> authentication fails. The computer is not joined to a domain, I am only >> leveraging the domain/realm for authentication purposes >> >> Relevant entries >> [pam] >> offline_credentials_expiration = 7 >> >> [domain] >> cache_credentials=true >> account_cache_expiration=8 >> id_provider=files >> auth_provider=krb5 >> krb5_server=srva.example.com >> krb5_kpasswd=srva.example.com >> krb5_realm=EXAMPLE.COM >> dns_discovery_domain=EXAMPLE.COM >> krb5_store_password_if_offline=true >> >> Is this a supported configuration for offline logins with cached >> credentials? >> >> Thanks >> > -- > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
