This is very encouraging, thank you so much. I will try this and report back.
Thank you On Fri, May 17, 2024, 1:10 AM Alexey Tikhonov <atikh...@redhat.com> wrote: > Hi, > > On Fri, May 17, 2024 at 9:33 AM Techie <techcha...@gmail.com> wrote: > >> Hello again, my offline authentication works, however, if I reboot while >> offline it no longer works and the cached password is removed from the >> cache db. I mean that ldbsearch no longer reveals a cached password for my >> user. >> > > Try to `touch /etc/passwd` without reboot - I guess it will have the same > effect. > > I can't find ticket right now, but there was a bug reported that 'files > provider' loses cached password hash while rebuilding cache (and it > rebuilds entire cache at every startup and every /etc/passwd&group file > event) > > This bug won't be fixed. Files provider is deprecated and planned for > eventual removal. > > 'proxy provider' with 'lib = files' is a substitute for your use case. > > https://sssd.io/docs/files-provider-deprecation.html doesn't describe > your case directly, but hopefully still can help. > > If you could try this and then contribute a new section to this doc - it > would be great. > > > > >> >> I use the passwd file as the ID provider and krb5 as the auth provider. >> >> [pam] >> >> offline_credential_expiration = 0 >> >> [domain/EXAMPLE.COM] >> cache_credentials=true >> id_provider=files >> auth_provider=krb5 >> krb5_server=srva.example.com >> #krb5_kpasswd=srva.example.com >> krb5_realm=EXAMPLE.COM <http://example.com/> >> dns_discovery_domain=EXAMPLE.COM <http://example.com/> >> >> Not sure why the cached entry for my user is removed from >> /var/lib/sss/db/cache_EXAMPLE.COM.ldb >> >> I've been fighting with this for a while so any help would be appreciated. >> >> Thank you >> >> >> On Sun, Sep 17, 2023, 12:01 PM Techie <techcha...@gmail.com> wrote: >> >>> Hi >>> >>> Trying to use cached creds with local users in the passwd file >>> authenticating via kerberos. >>> I have id_provider set to files and auth_provider set to krb5(AD DC). >>> Online authentication works fine however when I disconnect the network >>> authentication fails. The computer is not joined to a domain, I am only >>> leveraging the domain/realm for authentication purposes >>> >>> Relevant entries >>> [pam] >>> offline_credentials_expiration = 7 >>> >>> [domain] >>> cache_credentials=true >>> account_cache_expiration=8 >>> id_provider=files >>> auth_provider=krb5 >>> krb5_server=srva.example.com >>> krb5_kpasswd=srva.example.com >>> krb5_realm=EXAMPLE.COM >>> dns_discovery_domain=EXAMPLE.COM >>> krb5_store_password_if_offline=true >>> >>> Is this a supported configuration for offline logins with cached >>> credentials? >>> >>> Thanks >>> >> -- >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > -- > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
