====== Config PAM on linux ======

==== Example of sssd.conf file ====

<cli prompt='#'>
[root@LINUX10 ~]# cat /etc/sssd/sssd.conf

[sssd]
default_domain_suffix = ad.domain.lu
domains = ad.domain.lu
config_file_version = 2
services = nss, pam

[domain/ad.domain.lu]
ad_domain = ad.domain.lu
krb5_realm = AD.DOMAIN.LU
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = LINUX-ALL-SUDO@ad.domain.lu, LINUX-MYSQL-USER@ad.domain.lu
</cli>

==== Debug PAM: ====

=== 1° solution ===

Add to the end of file **/etc/sssd/sssd.conf** the following lines
<cli>
[pam]
debug_level = 9
</cli>

Logs are located into /var/log/sssd/, and also /var/log/secure

=== 2° solution ===

Add debug to /etc/pam.d/* 

auth        sufficient    pam_duo.so debug

logs will be located into 

*.debug      /var/log/debug.log

==== start SSSD in debug ====

<cli prompt='#'>
# sssd -d4

[sssd] [ldb] (3): server_sort:Unable to register control with rootdse!
[sssd] [confdb_get_domains] (0): No domains configured, fatal error!
[sssd] [get_monitor_config] (0): No domains configured.
</cli>

==== Check SElinux config ====

https://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html/System_Administrators_Guide/SSSD-Troubleshooting.htmlhttps://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html/System_Administrators_Guide/SSSD-Troubleshooting.html

==== Clear sssd cache ====

To clear sssd cache for single user
<cli promt='#'>
# sss_cache -u user1
</cli>

To clear sssd cache for all users
<cli promt='#'>
# sss_cache -E
</cli>

==== Delete sssd cache ====

Before doing this it is suggested that the SSSD service be stopped.
<cli promt='#'>
# systemctl stop sssd
</cli>

After this we want to delete all files within the /var/lib/sss/db/ directory.
<cli promt='#'>
# rm -rf /var/lib/sss/db/*
</cli>

Once complete we can start SSSD back up again.
<cli promt='#'>
# systemctl restart sssd
</cli>

==== Use AD UID and GID ====

By default, the AD provider will map UID and GID values from the objectSID parameter in Active Directory. 
For details on this, see the “ID MAPPING” section below. 
If you want to disable ID mapping and instead rely on POSIX attributes defined in Active Directory, you should set
  ldap_id_mapping = False

SSSD configuration would depend on what attributes are used in AD. The defaults for UID and GID are **uidNumber** and **gidNumber**, but some defaults change based on which version of SSSD you are running. Check the manpage for the release you are using.