[Freeipa-users] FreeIPA manual PAM setup help
小龙 陈
chillermillerlong at hotmail.com
Fri Nov 30 02:40:34 UTC 2012
> Subject: Re: [Freeipa-users] FreeIPA manual PAM setup help
> From: simo at redhat.com
> To: chillermillerlong at hotmail.com
> CC: jhrozek at redhat.com; freeipa-users at redhat.com
> Date: Thu, 29 Nov 2012 21:08:02 -0500
>
> On Thu, 2012-11-29 at 20:55 -0500, 小龙 陈 wrote:
>
>
> > And PAM is working!
>
> Excellent!
>
> > I've just finished a helper for setting up NSS and PAM for sssd. It
> > basically does the following:
> >
> > 1. Looks for 'passwd', 'shadow', 'group', 'services', 'netgroup', and
> > 'automount'
> > in /etc/nsswitch.conf and adds 'sss' to it.
>
> SSSD does not provide a shadow map so you shouldn't ad sss to shadow. It
> will do no harm though, it will just be a noop.
I see. I'll remove that part that. I just saw that Fedora's authconfig adds it
by default.
>
> > 2. Looks for pam_unix.so in every file in /etc/pam.d/, changes
> > 'required'
> > to 'sufficient', and adds an 'include' line for 'sss' right below
> > itq. /etc/pam.d/sss
> > contains the pam_sss.so lines.
> >
> > So far, I've tested sudo and su, and both are working :)
> >
> > Here's a link to the script:
> > https://github.com/chenxiaolong/ArchLinux-Packages/blob/master/freeipa/sss-auth-setup.py
> >
> > If someone is bored, I'd appreciate it if he/she would take a look at
> > it
> > for glaring issues.
>
> Cool stuff, I do not know Arch Linux default PAm stack configuration so
> I can;t tell with certainty that the replace you make is perfect, but I
> do not see anything stunningly bad.
Thanks for taking a look at the script!
I'm having some ssh issues now, unfortunately. Password authentication works
find, but GSSAPI doesn't. The client always fails "Connection closed by UNKNOWN"
Client: http://paste.kde.org/617216/
Server: http://paste.kde.org/617222/
Interestingly enough, the server logs nothing (with GSSAPI) unless I set it to log
debug messages.
Anyways, I'll have to look at this tomorrow. I'm not going to finish my homework :)
Xiao-Long Chen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121129/ae332b6e/attachment.htm>
More information about the Freeipa-users
mailing list