[Bug 217415] security/sssd Cannot authenticate towards Active Directory
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Mar 9 19:57:50 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217415
--- Comment #18 from lukas.slebodnik at intrak.sk ---
I overlooked that your current pam stack contains some lines which are
commented out and pam_sss.so is the first one; but expect password from
previous module.
># auth
>auth sufficient pam_opie.so no_warn no_fake_prompts
>auth requisite pam_opieaccess.so no_warn allow_local
>#auth sufficient pam_krb5.so no_warn try_first_pass
>#auth sufficient pam_ssh.so no_warn try_first_pass
>auth sufficient /usr/local/lib/pam_sss.so debug use_first_pass
>auth required pam_unix.so no_warn try_first_pass
If you want to have pam_sss.so as the first one then you need to remove
*use_first_pass* otherwise sssd will not try to get password from user; and you
also want to forward password to other modules.
e.g.
>auth required pam_nologin.so no_warn
>auth sufficient pam_opie.so no_warn no_fake_prompts
>auth requisite pam_opieaccess.so no_warn allow_local
>auth sufficient /usr/local/lib/pam_sss.so forward_pass
>auth required pam_unix.so no_warn try_first_pass
or you can have pam_unix as the first one so authentication for local users
would not be slow down by pam_sss.so
>auth required pam_nologin.so no_warn
>auth sufficient pam_opie.so no_warn no_fake_prompts
>auth requisite pam_opieaccess.so no_warn allow_local
>auth sufficient pam_unix.so no_warn try_first_pass
>auth sufficient /usr/local/lib/pam_sss.so use_first_pass
>auth required pam_deny.so
Sorry for longer delay between replies.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list