<html> <head> <style></style></head> <body class='hmmessage'><div dir='ltr'>> Date: Thu, 29 Nov 2012 16:56:08 +0100 <div>> From: jhrozek@redhat.com > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] FreeIPA manual PAM setup help > > On Thu, Nov 29, 2012 at 10:26:00AM -0500, Rob Crittenden wrote: > > 小龙陈 wrote: > > >Hi, > > > > > >I've been working on porting the FreeIPA client to Arch Linux lately and > > >I'm now to the last step of the puzzle. Everything works the way it > > >should, except for PAM, which I don't know how to setup. > > > > > >I must admit that I'm very confused my the PAM configuration (which PAM > > >module does what, the order of the modules, etc). What I'm trying to > > >find out is where the pam_sss.so lines should go. Here's a copy of the > > >/etc/pam.d/ directory in Arch Linux: http://ompldr.org/vZ2hxcw/pam.d.tar.bz2 > > > > > >I'd greatly appreciate it if someone could help me out :) Thanks! > > > > > > > I gather that this is due to a lack of authconfig. > > > > Timo Aaltonen has been working on ipa-client (and server!) for > > Ubuntu and he ran into similar problems but I'm not sure what > > solution he came up with. > > > > I'll find someone with more PAM experience to try to give you more > > practical help. > > > > rob > > Hi, > > the PAM config files on Arch Linux are a little bit different than what > Fedora/RHEL uses. It seems that the per-service config files (such as > /etc/pam.d/su for logging in with su) directly include the PAM modules, > in your case pam_unix.so only. On Fedora/RHEL, the per-service files > usually include a more generic file called something like system-auth. > > Either way works, but if you'd like to configure more services in a > similar way, then including a common file might save you some edits. > > This document is a little outdated but provides a nice intro into > configuring PAM: > http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html > > In general you there are fours stacks in PAM, each of them controls one > step in the auth process. > > I think you'll want to use both pam_unix and pam_sss in all the > stacks -- pam_sss is needed for users coming in from the SSSD to log in > and you'll also want to keep pam_unix around so that local users (at > least root) can log in too. > > Here is what my PAM config on Fedora 18 looks like: > -------------------------------------------------------------------- > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 1000 quiet_success > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password optional pam_pwquality.so try_first_pass retry=3 type= > password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session optional pam_oddjob_mkhomedir.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_sss.so > -------------------------------------------------------------------- > > If Arch Linux ships the same modules as Fedora, the you should be able to > simply copy and use the PAM config we use.. I've put Honza to CC, I know > he runs Arch Linux as well and might have some insights into how PAM is > configured on Arch. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Hi, Thanks a lot for your reply! I'll be sure to read up on the link. The per-service config files are a bit annoying in Arch. I'm not sure if it's possible, but maybe I can create a /etc/pam.d/sssd that can be included in the other files? I'm guessing that the order of the PAM modules matters, so I'm not sure that that would work. I'll try adding pam_sss to each file, based on Fedora's system-auth, and see how that goes. Best Regards, Xiao-Long Chen </div> </div></body> </html>