[Freeipa-users] FreeIPA manual PAM setup help
Jakub Hrozek
jhrozek at redhat.com
Thu Nov 29 15:56:08 UTC 2012
On Thu, Nov 29, 2012 at 10:26:00AM -0500, Rob Crittenden wrote:
> 小龙 陈 wrote:
> >Hi,
> >
> >I've been working on porting the FreeIPA client to Arch Linux lately and
> >I'm now to the last step of the puzzle. Everything works the way it
> >should, except for PAM, which I don't know how to setup.
> >
> >I must admit that I'm very confused my the PAM configuration (which PAM
> >module does what, the order of the modules, etc). What I'm trying to
> >find out is where the pam_sss.so lines should go. Here's a copy of the
> >/etc/pam.d/ directory in Arch Linux: http://ompldr.org/vZ2hxcw/pam.d.tar.bz2
> >
> >I'd greatly appreciate it if someone could help me out :) Thanks!
> >
>
> I gather that this is due to a lack of authconfig.
>
> Timo Aaltonen has been working on ipa-client (and server!) for
> Ubuntu and he ran into similar problems but I'm not sure what
> solution he came up with.
>
> I'll find someone with more PAM experience to try to give you more
> practical help.
>
> rob
Hi,
the PAM config files on Arch Linux are a little bit different than what
Fedora/RHEL uses. It seems that the per-service config files (such as
/etc/pam.d/su for logging in with su) directly include the PAM modules,
in your case pam_unix.so only. On Fedora/RHEL, the per-service files
usually include a more generic file called something like system-auth.
Either way works, but if you'd like to configure more services in a
similar way, then including a common file might save you some edits.
This document is a little outdated but provides a nice intro into
configuring PAM:
http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html
In general you there are fours stacks in PAM, each of them controls one
step in the auth process.
I think you'll want to use both pam_unix and pam_sss in all the
stacks -- pam_sss is needed for users coming in from the SSSD to log in
and you'll also want to keep pam_unix around so that local users (at
least root) can log in too.
Here is what my PAM config on Fedora 18 looks like:
--------------------------------------------------------------------
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password optional pam_pwquality.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
--------------------------------------------------------------------
If Arch Linux ships the same modules as Fedora, the you should be able to
simply copy and use the PAM config we use.. I've put Honza to CC, I know
he runs Arch Linux as well and might have some insights into how PAM is
configured on Arch.
More information about the Freeipa-users
mailing list