wiki

User Tools

Site Tools

Trace: ibm_mgmt_tasks pam_users
linux:pam_users

Table of Contents

Config PAM on linux

Example of sssd.conf file

[root@LINUX10 ~]# cat /etc/sssd/sssd.conf

[sssd]
default_domain_suffix = ad.domain.lu
domains = ad.domain.lu
config_file_version = 2
services = nss, pam

[domain/ad.domain.lu]
ad_domain = ad.domain.lu
krb5_realm = AD.DOMAIN.LU
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = LINUX-ALL-SUDO@ad.domain.lu, LINUX-MYSQL-USER@ad.domain.lu

Debug PAM:

1° solution

Add to the end of file /etc/sssd/sssd.conf the following lines 

[pam]
debug_level = 9

Logs are located into /var/log/sssd/, and also /var/log/secure

2° solution

Add debug to /etc/pam.d/*

auth sufficient pam_duo.so debug

logs will be located into

*.debug /var/log/debug.log

start SSSD in debug

# sssd -d4

[sssd] [ldb] (3): server_sort:Unable to register control with rootdse!
[sssd] [confdb_get_domains] (0): No domains configured, fatal error!
[sssd] [get_monitor_config] (0): No domains configured.

Check SElinux config

https://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html/System_Administrators_Guide/SSSD-Troubleshooting.htmlhttps://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html/System_Administrators_Guide/SSSD-Troubleshooting.html

Clear sssd cache

To clear sssd cache for single user 

# sss_cache -u user1

To clear sssd cache for all users 

# sss_cache -E

Delete sssd cache

Before doing this it is suggested that the SSSD service be stopped. 

# systemctl stop sssd

After this we want to delete all files within the /var/lib/sss/db/ directory. 

# rm -rf /var/lib/sss/db/*

Once complete we can start SSSD back up again. 

# systemctl restart sssd

Use AD UID and GID

By default, the AD provider will map UID and GID values from the objectSID parameter in Active Directory. For details on this, see the “ID MAPPING” section below. If you want to disable ID mapping and instead rely on POSIX attributes defined in Active Directory, you should set 

ldap_id_mapping = False

SSSD configuration would depend on what attributes are used in AD. The defaults for UID and GID are uidNumber and gidNumber, but some defaults change based on which version of SSSD you are running. Check the manpage for the release you are using.

linux/pam_users.txt · Last modified: 2022/11/07 16:28 by manu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki