SSSD and local user

Greg.G · 04-18-2024, 04:42 AM

I encounter a problem when I want to connect with the local user WITHOUT the network connection.

When the network comes back, no problem with local users and ldap (SSSD) users. The SSSD is configured and working.

According to my research it's in /etc/pam.d in the "common-*" configuration files:

common-account
common-auth
common-password
common session

Do you know where the blockage comes from? The behavior without the network in the login menu, when entering the password, is in vain.

Here are my common-conf files:

common-account:

Code:

 account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
 account requisite pam_deny.so
 account required pam_permit.so
 account sufficient pam_localuser.so

common-auth:

Code:

 auth [success=2 default=ignore] pam_unix.so nullok_secure
 auth [success=1 default=ignore] pam_sss.so use_first_pass
 auth requisite pam_deny.so
 auth required pam_permit.so
 auth optional pam_cap.so

common-password:

Code:

 password requisite pam_pwquality.so retry=3
 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
 password sufficient pam_sss.so use_authtok
 password requisite pam_deny.so
 password required pam_permit.so
 password optional pam_gnome_keyring.so

common session:

Code:

session [default=1] pam_permit.so
 session requisite pam_deny.so
 session required pam_permit.so
 session optional pam_umask.so
 session required pam_unix.so
 session optional pam_sss.so
 session optional pam_systemd.so
 session optional pam_oddjob_mkhomedir.so
 session required pam_mkhomedir.so skel=/etc/skel/umask=0077

Thank you.

ferrari · 04-19-2024, 10:52 PM

Can you be more explicit about what you mean by network connection? Or do you mean that you can't login as a local user when not connected to the LAN. What is the issue that you're trying to solve here?

ferrari · 04-19-2024, 11:03 PM

If you are trying to achieve offline authentication, this will rely on the online authentication credentials being cached first. For that you'd need to set

Code:

cache_credentials = true

in '[domain/LDAP]' section of the /etc/sssd/sssd.conf first.

Once you have authenticated online, you should then be able to authenticate while offline (eg with the network cable unplugged).

Greg.G · 04-22-2024, 05:12 AM

Quote:

Originally Posted by ferrari

If you are trying to achieve offline authentication, this will rely on the online authentication credentials being cached first. For that you'd need to set

Code:

cache_credentials = true

in '[domain/LDAP]' section of the /etc/sssd/sssd.conf first.

Once you have authenticated online, you should then be able to authenticate while offline (eg with the network cable unplugged).

What I'm looking for is when the machine has no network cable plugged in => No local network and internet connection.

I would like to log in with the user that was created locally on the machine.

But with my SSSD configured and my /etc/pam.d/ files I cannot connect with this user when the network cable is unplugged.

I looked at redhat's SSSD to see if there was an error in my configuration and apparently everything is ok: https://access.redhat.com/documentat...zation-in-rhel

I also check if caching should be enabled in SSSD, it is fine.

ferrari · 04-24-2024, 03:20 AM

Share the [sssd] and [pam] sections of sssd.conf please.

Check PAM configuration:
https://access.redhat.com/documentat...ration_Options

Greg.G · 04-25-2024, 02:54 AM

Here is my sssd.conf file (I have deliberately hidden certain parts for confidentiality):

Quote:

[sssd]
config_file_version = 2
services = nss, pam
domains = ldap

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news

[pam]

[domain/ldap]
id_provider = ldap
auth_provider = ldap
access_provider = ldap
chpass_provider = ldap
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=id,dc=XXX,dc=XXX
ldap_uri = XXX
override_homedir = /home/%u
debug_level = 5
ldap_tls_cacert=XXX
enumerate = true
ldap_tls_reqcert = request

According to your link, the part is missing:

Quote:

[pam]
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

I'm going to test with these lines.

ferrari · 04-25-2024, 04:27 AM

I notice in your opening post that you have entries with the control value of 'requirment' eg

Code:

auth requirement pam_deny.so

I'm not sure if this is valid or not. Most documentation I've read refer to 'requisite' instead eg

Code:

auth requisite pam_deny.so

Hopefully others can clarify this.

I would have expected common-auth to look more like this

Code:

auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_lsass.so try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
autho   optional                        pam_cap.so

In any case, you can use the sssctl command to check your SSSD configuration (as mentioned in the link I gave already)...

Quote:

Test That the Integration Works Correctly

*Try logging in as a user.

*Use the sssctl user-checks user_name auth command to check your SSSD configuration. For details, use the sssctl user-checks --help command.

Greg.G · 04-25-2024, 05:06 AM

Quote:

Originally Posted by ferrari

I notice in your opening post that you have entries with the control value of 'requirment' eg

Code:

auth requirement pam_deny.so

I'm not sure if this is valid or not. Most documentation I've read refer to 'requisite' instead eg

Code:

auth requisite pam_deny.so

Hopefully others can clarify this.

I would have expected common-auth to look more like this

Code:

auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_lsass.so try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
autho   optional                        pam_cap.so

In any case, you can use the sssctl command to check your SSSD configuration (as mentioned in the link I gave already)...

I translated it wrong, I updated my pam.d files

With the translation (FR/EN) it put “requirement” into “requisite”