SSSD and local user

G

Greg.G

New Member
Joined
Apr 18, 2024
Messages
2
Reaction score
0
Credits
33
I encounter a problem when I want to connect with the local user WITHOUT the network connection.

When the network comes back, no problem with local users and ldap (SSSD) users.The SSSD is configured and working.

According to my research it's in /etc/pam.d in the " common-* " configuration files :
  • common-account
  • common-auth
  • common-password
  • common session
Do you know where the blockage comes from?
The behavior without the network in the login menu, when entering the password, is in vain.
Here are my common-conf files:

common-account:
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so

common-auth:
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so

common-password:
password requisite pam_pwquality.so retry=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password sufficient pam_sss.so use_authtok
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so

common session:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so
session required pam_mkhomedir.so skel=/etc/skel/umask=0077

Thank you.
 
Last edited:


@Greg.G wrote:
I want to connect with the local user WITHOUT the network connection.
Click to expand...

The statement is a little ambiguous, since linux installations do have a network internally that works without an online network connection, so I guess the meaning of "without the network connection" means without the online connection to the internet.

One can connect through the internal network with the local user using a number of identities as shown by running these commands:
Code: 
ping -c 2 localhost
ping -c 2 127.0.0.1
ping -c 2 127.0.1.1
ping -c 2 $(echo $HOSTNAME)
ping -c 2 $(hostname -I | awk '{print $1}')

To stop the pings, use: cntl+c.

The entries in the pam configuration files shown in post #1 are more voluminous than the entries on this debian system. The debian defaults here are below for you to compare.
Code: 
[tom@min /etc/pam.d]$ grep -v ^# common-account
account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so

[tom@min /etc/pam.d]$ grep -v ^# common-auth
auth    [success=1 default=ignore]      pam_unix.so nullok
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

[tom@min /etc/pam.d]$ grep -v ^# common-password
password        [success=1 default=ignore]      pam_unix.so obscure yescrypt
password        requisite                       pam_deny.so
password        required                        pam_permit.so
password        optional        pam_gnome_keyring.so

[tom@min /etc/pam.d]$ grep -v ^# common-session
session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required        pam_unix.so
session optional        pam_systemd.so

It may be worth reading what the extra configuration items in your files are for before altering anything, but altering in this is entirely reversible.

The info in these pages may be of use: https://access.redhat.com/documenta...ring-authentication-and-authorization-in-rhel
 
Last edited:
osprey said:
@Greg.G wrote:


The statement is a little ambiguous, since linux installations do have a network internally that works without an online network connection, so I guess the meaning of "without the network connection" means without the online connection to the internet.

One can connect through the internal network with the local user using a number of identities as shown by running these commands:
Code: 
ping -c 2 localhost
ping -c 2 127.0.0.1
ping -c 2 127.0.1.1
ping -c 2 $(echo $HOSTNAME)
ping -c 2 $(hostname -I | awk '{print $1}')

To stop the pings, use: cntl+c.

The entries in the pam configuration files shown in post #1 are more voluminous than the entries on this debian system. The debian defaults here are below for you to compare.
Code: 
[tom@min /etc/pam.d]$ grep -v ^# common-account
account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so

[tom@min /etc/pam.d]$ grep -v ^# common-auth
auth    [success=1 default=ignore]      pam_unix.so nullok
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

[tom@min /etc/pam.d]$ grep -v ^# common-password
password        [success=1 default=ignore]      pam_unix.so obscure yescrypt
password        requisite                       pam_deny.so
password        required                        pam_permit.so
password        optional        pam_gnome_keyring.so

[tom@min /etc/pam.d]$ grep -v ^# common-session
session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required        pam_unix.so
session optional        pam_systemd.so

It may be worth reading what the extra configuration items in your files are for before altering anything, but altering in this is entirely reversible.

The info in these pages may be of use: https://access.redhat.com/documenta...ring-authentication-and-authorization-in-rhel
Click to expand...

When the machine is connected to the network cable with the Internet connection and especially with the connection to the company network = ok

But when the cable is removed = No internet or company network.

I can't connect to the GUI user locally.
It can only come from the "common-*" files because they are the ones that allow authorization.

I looked at the debian ones, it's similar but doesn't solve my blogging.

My "pam_sss.so" lines allow me to log my SSSD user from a remote ldap.

I also check if caching should be enabled in SSSD, it is fine.
 
You must log in or register to reply here.

Members online

Total: 647 (members: 3, guests: 644)

Latest posts

Top