[Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7
Sumit Bose
sbose at redhat.com
Tue Dec 8 16:40:28 UTC 2015
On Tue, Dec 08, 2015 at 02:33:40PM +0100, Stefano Cortese wrote:
> Hi Sumit
> yes it works commenting out the line 'enable_only = sssd' and making
> the file immutable , namely the .k5login file is read and enforced.<br>
> But respect to the solution emptying completely the snippet, it is lost
> the possibility to perform the same enforcement via an
> 'auth_to_local_names' entry in /etc/krb5.conf for the given realm in
> which the service' principal is mapped onto the destination posix
> account<br>
This is expected because if either the principal or the user name is
known to SSSD the localauth plugin will take control because by default
the added modules are registered first (see [plugins] section of man
krb5.conf for details).
To check auth_to_local_names first you can try
enable_only=names,k5login,sssd
HTH
bye,
Sumit
More information about the Freeipa-users
mailing list