Hi The following sssd.conf and pam.d/gdm and pam.d/gdm-password work here on fedora 13. With quite a bit of debuggind i found out that for sssd you have to specify all bases in the sssd.conf. i have not been able to make sssd run with TLS. [root@myws ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 # Number of times services should attempt to reconnect in the # event of a crash or restart before they give up reconnection_retries = 3 # if a backend is particularly slow you can raise this timeout here sbus_timeout = 30 services = nss, pam # domains = LOCAL,LDAP # SSSD will not start if you don't configure any domain. # Add new domains condifgurations as [domain/<NAME>] sections. # Then add the list of domains (in the order you want them to be # queried in the 'domains" attribute above and uncomment it domains = LDAP [nss] # the following prevents sssd for searching for the root user/group in # all domains (you can add here a comma separated list of system accounts are # always going to be /etc/passwd users, or that you want to filter out) filter_groups = root filter_users = root reconnection_retries = 3 # The EntryCacheTimeout indicates the number of seconds to retain before # an entry in cache is considered stale and must block to refresh. # The EntryCacheNoWaitRefreshTimeout indicates the number of seconds to # wait before updating the cache out-of-band. (NSS requests will still # be returned from cache until the full EntryCacheTimeout). Setting this # value to 0 turns this feature off (default) # entry_cache_timeout = 600 # entry_cache_nowait_timeout = 300 [pam] reconnection_retries = 3 # Example LOCAL domain that stores all users natively in the SSSD internal # directory. These local users and groups are not visibile in /etc/passwd, it # now contains only root and system accounts. # [domain/LOCAL] # description = LOCAL Users domain # id_provider = local # enumerate = true # min_id = 500 # max_id = 999 # Example native LDAP domain [domain/LDAP] min_id = 50 ldap_tls_reqcert = never id_provider = ldap auth_provider = ldap ldap_uri = ldap://ldapadmin.mydomain.com/ ldap_search_base = ou=pam-ldap,dc=mydomain,dc=com ldap_user_search_base = ou=people,ou=pam-ldap,dc=mydomain,dc=com ldap_group_search_base = ou=group,ou=pam-ldap,dc=mydomain,dc=com ldap_default_bind_dn = cn=pam-ldap-checker,ou=pam-ldap,dc=mydomain,dc=com ldap_default_authtok = **** # ldap_tls_reqcert = demand #cache_credentials = true enumerate = true # Example LDAP domain where the LDAP server is an Active Directory server. # [domain/AD] # description = LDAP domain with AD server # enumerate = false # min_id = 1000 # # id_provider = ldap # auth_provider = ldap # ldap_uri = ldap://your.ad.server.com <br /> # ldap_schema = rfc2307bis # ldap_user_search_base = cn=users,dc=example,dc=com # ldap_group_search_base = cn=users,dc=example,dc=com # ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com # ldap_default_authtok_type = password # ldap_default_authtok = YOUR_PASSWORD # ldap_user_object_class = person # ldap_user_name = msSFU30Name # ldap_user_uid_number = msSFU30UidNumber # ldap_user_gid_number = msSFU30GidNumber # ldap_user_home_directory = msSFU30HomeDirectory # ldap_user_shell = msSFU30LoginShell # ldap_user_principal = userPrincipalName # ldap_group_object_class = group # ldap_group_name = msSFU30Name # ldap_group_gid_number = msSFU30GidNumber [domain/default] ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = ou=pam-ldap,dc=mydomain,dc=com krb5_realm = EXAMPLE.COM chpass_provider = ldap id_provider = ldap auth_provider = ldap ldap_default_bind_dn = cn=pam-ldap-checker,ou=pam-ldap,dc=mydomain,dc=com debug_level = 0 min_id = 500 ldap_uri = ldap://ldap.mydomain.com krb5_kdcip = kerberos.example.com ldap_default_authtok = **** ldap_tls_cacertdir = /etc/openldap/cacerts [root@myws ~]# [root@myws ~]# cat /etc/pam.d/gdm #%PAM-1.0 auth [success=done ignore=ignore default=bad] pam_selinux_permit.so #auth required pam_succeed_if.so user != root quiet auth required pam_env.so auth substack system-auth auth optional pam_gnome_keyring.so account required pam_nologin.so account include system-auth password include system-auth session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so session optional pam_gnome_keyring.so auto_start session include system-auth [root@myws ~]# [root@myws ~]# cat /etc/pam.d/gdm-password auth [success=done ignore=ignore default=bad] pam_selinux_permit.so auth substack password-auth #auth required pam_succeed_if.so user != root quiet auth optional pam_gnome_keyring.so account required pam_nologin.so account include password-auth password include password-auth session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so session optional pam_gnome_keyring.so auto_start session include password-auth [root@myws ~]# suomi On 2010-11-10 13:15, Bernd Nies wrote: > Hi Stephen, > > Thanks for your reply. I tried to configure it with > system-config-authentication (the same as authconfig-gtk) before but > that tool did not generate a useable output. I adjusted sssd.conf > manually afterwards and got "getent passwd" and ssh login to work. The > two pam files you mentioned are shown below. Both include pam_sss.so in > the authentication stack. > > Bye > Bernd > > > > /etc/pam.d/password-auth > > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 type= > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > cat /etc/pam.d/system-auth > > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 type= > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_sss.so > -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
