> On 7 Dec 2021, at 00:22, Caderize Caderize <caderize@gmail.com> wrote:
>
> Hi William,
> the pam, for users created manually is working fine to me.
> The only problem is related to synced users from AD whch seems doesn't have all the necessary objectClasses.
The issue is *not* related to objectClasses. As mentioned I reproduced your config and it worked for me, with an entry with the same objectClasses.
>
> However, this is ldapserver pam service:
> # here are the per-package modules (the "Primary" block)
> auth [success=2 default=ignore] pam_unix.so nullok
> auth [success=1 default=ignore] pam_sss.so use_first_pass debug
> # here's the fallback if no module succeeds
> auth requisite pam_deny.so
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a success code
> # since the modules above will each just jump around
> auth required pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config
You need an "account" module section in your pam file here, else the pam_acct_mgmt step to allow the account will fail. That's likely your problem here.
Second, you don't need pam_unix. I think your file should be.
auth sufficent pam_sss.so use_first_pass ignore_unknown_user
auth required pam_deny.so
account sufficient pam_sss.so ignore_unknown_user
account required pam_deny.so
If that doesn't work, you need to add 'debug_log = 5' to [domain/lab.local] and nsslapd-errorlog-level 81920 to your directory server, and then provide the logs for an authentication from /var/log/dirsrv/slapd-instance/errors, and /var/log/sssd/sssd_lab.local.log
Thanks,
>
>
> and this is sssd.con file:
> [sssd]
> domains = lab.local
> config_file_version = 2
> services = nss, pam
> debug_level = 10
>
> [domain/lab.local]
> default_shell = /bin/bash
> krb5_store_password_if_offline = True
> cache_credentials = True
> krb5_realm = LAB.LOCAL
> realmd_tags = manages-system joined-with-adcli
> id_provider = ad
> fallback_homedir = /home/%u@%d
> ad_domain = lab.local
> use_fully_qualified_names = False
> ldap_id_mapping = True
> access_provider = ad
> #enumerate = true
>
> auth_provider = ad
> chpass_provider = ad
> ldap_schema = ad
>
> dyndns_update = true
> dyndns_refresh_interval = 43200
> dyndns_update_ptr = true
> dyndns_ttl = 3600
>
> Hope to have a soonest reply from you.
>
> Best Regards
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Sincerely,
William Brown
Senior Software Engineer, Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
No comments:
Post a Comment