====== Config PAM on linux ======
==== Example of sssd.conf file ====
[root@LINUX10 ~]# cat /etc/sssd/sssd.conf
[sssd]
default_domain_suffix = ad.domain.lu
domains = ad.domain.lu
config_file_version = 2
services = nss, pam
[domain/ad.domain.lu]
ad_domain = ad.domain.lu
krb5_realm = AD.DOMAIN.LU
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = LINUX-ALL-SUDO@ad.domain.lu, LINUX-MYSQL-USER@ad.domain.lu
==== Debug PAM: ====
=== 1° solution ===
Add to the end of file **/etc/sssd/sssd.conf** the following lines
[pam]
debug_level = 9
Logs are located into /var/log/sssd/, and also /var/log/secure
=== 2° solution ===
Add debug to /etc/pam.d/*
auth sufficient pam_duo.so debug
logs will be located into
*.debug /var/log/debug.log
==== start SSSD in debug ====
# sssd -d4
[sssd] [ldb] (3): server_sort:Unable to register control with rootdse!
[sssd] [confdb_get_domains] (0): No domains configured, fatal error!
[sssd] [get_monitor_config] (0): No domains configured.
==== Check SElinux config ====
https://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html/System_Administrators_Guide/SSSD-Troubleshooting.htmlhttps://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html/System_Administrators_Guide/SSSD-Troubleshooting.html
==== Clear sssd cache ====
To clear sssd cache for single user
# sss_cache -u user1
To clear sssd cache for all users
# sss_cache -E
==== Delete sssd cache ====
Before doing this it is suggested that the SSSD service be stopped.
# systemctl stop sssd
After this we want to delete all files within the /var/lib/sss/db/ directory.
# rm -rf /var/lib/sss/db/*
Once complete we can start SSSD back up again.
# systemctl restart sssd
==== Use AD UID and GID ====
By default, the AD provider will map UID and GID values from the objectSID parameter in Active Directory.
For details on this, see the “ID MAPPING” section below.
If you want to disable ID mapping and instead rely on POSIX attributes defined in Active Directory, you should set
ldap_id_mapping = False
SSSD configuration would depend on what attributes are used in AD. The defaults for UID and GID are **uidNumber** and **gidNumber**, but some defaults change based on which version of SSSD you are running. Check the manpage for the release you are using.