[Bug 217415] security/sssd Cannot authenticate towards Active Directory

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Mar 10 09:18:39 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217415

--- Comment #19 from Karli Sjöberg <Karli.Sjoberg at slu.se> ---
(In reply to lukas.slebodnik from comment #18)
Don´t apologize, nobody is forcing you to do this, besides...

IT WORKS!!! :)

The second example you posted of using pam_deny.so as required at the end does
not work, however I recalled reading something about using pam_unix.so, both
before _and_ after sssd to mimic this behaviour. For posterity, I´ll just paste
my working examples, that lets both local and directory users log in when sssd
is running, and local users when sssd is turned off:

/etc/pam.d/system:
#
# $FreeBSD: releng/10.3/etc/pam.d/system 197769 2009-10-05 09:28:54Z des $
#
# System-wide defaults
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      pam_unix.so             no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_sss.so use_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
#account        required        pam_krb5.so
account         sufficient      /usr/local/lib/pam_sss.so       
ignore_unknown_user
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        /usr/local/lib/pam_mkhomedir.so    mode=0700
session         required        pam_lastlog.so          no_fail

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        sufficient      /usr/local/lib/pam_sss.so        use_authtok
password        required        pam_unix.so             no_warn try_first_pass

/etc/pam.d/sshd:
#
# $FreeBSD: releng/10.3/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      pam_unix.so             no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_sss.so use_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         sufficient      /usr/local/lib/pam_sss.so       
ignore_unknown_user
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        /usr/local/lib/pam_mkhomedir.so  mode=0700
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        sufficient      /usr/local/lib/pam_sss.so        use_authtok
password        required        pam_unix.so             no_warn try_first_pass

Best Regards
Karli Sjöberg

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list