[Freeipa-users] Switch sudoers to IPA
Jakub Hrozek
jhrozek at redhat.com
Thu Mar 2 20:07:25 UTC 2017
On Thu, Mar 02, 2017 at 09:50:41PM +0530, deepak dimri wrote:
> Hi Jakub, Actually that is what i am doing. i am creating the user with
> same UID in IPA and then if i delete the user locally then i can
> authenticate via IPA. Is there anyway i can do this without deleting the
> user? This is just to use the same GID and avoid recreation of
> home/directories.
I think you'd need to modify the PAM stack to keep going even if
authentication against pam_unix fails. I /think/ (but haven't tested )
that modifying the lines that deal with pam_unix/pam_sss like this:
auth [default=2 success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth [success=done ignore=ignore default=die] pam_sss.so use_first_pass
could work. The other lines in the PAM auth stack and all the other
stacks should be left intact.
(Please keep a root shell around if you're going to tinker with PAM
settings and preferably try this out on a test box first.)
More information about the Freeipa-users
mailing list