====== Config PAM on linux ====== ==== Example of sssd.conf file ==== [root@LINUX10 ~]# cat /etc/sssd/sssd.conf [sssd] default_domain_suffix = ad.domain.lu domains = ad.domain.lu config_file_version = 2 services = nss, pam [domain/ad.domain.lu] ad_domain = ad.domain.lu krb5_realm = AD.DOMAIN.LU realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = simple simple_allow_groups = LINUX-ALL-SUDO@ad.domain.lu, LINUX-MYSQL-USER@ad.domain.lu ==== Debug PAM: ==== === 1° solution === Add to the end of file **/etc/sssd/sssd.conf** the following lines [pam] debug_level = 9 Logs are located into /var/log/sssd/, and also /var/log/secure === 2° solution === Add debug to /etc/pam.d/* auth sufficient pam_duo.so debug logs will be located into *.debug /var/log/debug.log ==== start SSSD in debug ==== # sssd -d4 [sssd] [ldb] (3): server_sort:Unable to register control with rootdse! [sssd] [confdb_get_domains] (0): No domains configured, fatal error! [sssd] [get_monitor_config] (0): No domains configured. ==== Check SElinux config ==== https://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html/System_Administrators_Guide/SSSD-Troubleshooting.htmlhttps://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html/System_Administrators_Guide/SSSD-Troubleshooting.html ==== Clear sssd cache ==== To clear sssd cache for single user # sss_cache -u user1 To clear sssd cache for all users # sss_cache -E ==== Delete sssd cache ==== Before doing this it is suggested that the SSSD service be stopped. # systemctl stop sssd After this we want to delete all files within the /var/lib/sss/db/ directory. # rm -rf /var/lib/sss/db/* Once complete we can start SSSD back up again. # systemctl restart sssd ==== Use AD UID and GID ==== By default, the AD provider will map UID and GID values from the objectSID parameter in Active Directory. For details on this, see the “ID MAPPING” section below. If you want to disable ID mapping and instead rely on POSIX attributes defined in Active Directory, you should set ldap_id_mapping = False SSSD configuration would depend on what attributes are used in AD. The defaults for UID and GID are **uidNumber** and **gidNumber**, but some defaults change based on which version of SSSD you are running. Check the manpage for the release you are using.