Hello, this did the trick, thank you. I am grateful for your help and so if desired I can contribute to the doc. Please let me know how to proceed.
Thank you again On Fri, May 17, 2024, 11:40 AM Techie <techcha...@gmail.com> wrote: > This is very encouraging, thank you so much. I will try this and report > back. > > Thank you > > On Fri, May 17, 2024, 1:10 AM Alexey Tikhonov <atikh...@redhat.com> wrote: > >> Hi, >> >> On Fri, May 17, 2024 at 9:33 AM Techie <techcha...@gmail.com> wrote: >> >>> Hello again, my offline authentication works, however, if I reboot while >>> offline it no longer works and the cached password is removed from the >>> cache db. I mean that ldbsearch no longer reveals a cached password for my >>> user. >>> >> >> Try to `touch /etc/passwd` without reboot - I guess it will have the same >> effect. >> >> I can't find ticket right now, but there was a bug reported that 'files >> provider' loses cached password hash while rebuilding cache (and it >> rebuilds entire cache at every startup and every /etc/passwd&group file >> event) >> >> This bug won't be fixed. Files provider is deprecated and planned for >> eventual removal. >> >> 'proxy provider' with 'lib = files' is a substitute for your use case. >> >> https://sssd.io/docs/files-provider-deprecation.html doesn't describe >> your case directly, but hopefully still can help. >> >> If you could try this and then contribute a new section to this doc - it >> would be great. >> >> >> >> >>> >>> I use the passwd file as the ID provider and krb5 as the auth provider. >>> >>> [pam] >>> >>> offline_credential_expiration = 0 >>> >>> [domain/EXAMPLE.COM] >>> cache_credentials=true >>> id_provider=files >>> auth_provider=krb5 >>> krb5_server=srva.example.com >>> #krb5_kpasswd=srva.example.com >>> krb5_realm=EXAMPLE.COM <http://example.com/> >>> dns_discovery_domain=EXAMPLE.COM <http://example.com/> >>> >>> Not sure why the cached entry for my user is removed from >>> /var/lib/sss/db/cache_EXAMPLE.COM.ldb >>> >>> I've been fighting with this for a while so any help would be >>> appreciated. >>> >>> Thank you >>> >>> >>> On Sun, Sep 17, 2023, 12:01 PM Techie <techcha...@gmail.com> wrote: >>> >>>> Hi >>>> >>>> Trying to use cached creds with local users in the passwd file >>>> authenticating via kerberos. >>>> I have id_provider set to files and auth_provider set to krb5(AD DC). >>>> Online authentication works fine however when I disconnect the network >>>> authentication fails. The computer is not joined to a domain, I am only >>>> leveraging the domain/realm for authentication purposes >>>> >>>> Relevant entries >>>> [pam] >>>> offline_credentials_expiration = 7 >>>> >>>> [domain] >>>> cache_credentials=true >>>> account_cache_expiration=8 >>>> id_provider=files >>>> auth_provider=krb5 >>>> krb5_server=srva.example.com >>>> krb5_kpasswd=srva.example.com >>>> krb5_realm=EXAMPLE.COM >>>> dns_discovery_domain=EXAMPLE.COM >>>> krb5_store_password_if_offline=true >>>> >>>> Is this a supported configuration for offline logins with cached >>>> credentials? >>>> >>>> Thanks >>>> >>> -- >>> _______________________________________________ >>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> -- >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
