Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 09 Mar 2017 19:57:50 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 217415] security/sssd Cannot authenticate towards Active Directory
Message-ID:  <bug-217415-13-LrP0Zq4TlI@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-217415-13@https.bugs.freebsd.org/bugzilla/>
References:  <bug-217415-13@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217415

--- Comment #18 from lukas.slebodnik@intrak.sk ---
I overlooked that your current pam stack contains some lines which are
commented out and pam_sss.so is the first one; but expect password from
previous module.

># auth
>auth            sufficient      pam_opie.so             no_warn no_fake_pr=
ompts
>auth            requisite       pam_opieaccess.so       no_warn allow_local
>#auth           sufficient      pam_krb5.so             no_warn try_first_=
pass
>#auth           sufficient      pam_ssh.so              no_warn try_first_=
pass
>auth            sufficient      /usr/local/lib/pam_sss.so debug use_first_=
pass
>auth            required        pam_unix.so             no_warn try_first_=
pass

If you want to have pam_sss.so as the first one then you need to remove
*use_first_pass* otherwise sssd will not try to get password from user; and=
 you
also want to forward password to other modules.
e.g.

>auth            required        pam_nologin.so          no_warn
>auth            sufficient      pam_opie.so             no_warn no_fake_pr=
ompts
>auth            requisite       pam_opieaccess.so       no_warn allow_local
>auth            sufficient      /usr/local/lib/pam_sss.so              for=
ward_pass
>auth            required        pam_unix.so             no_warn try_first_=
pass

or you can have pam_unix as the first one so authentication for local users
would not be slow down by pam_sss.so

>auth            required        pam_nologin.so          no_warn
>auth            sufficient      pam_opie.so             no_warn no_fake_pr=
ompts
>auth            requisite       pam_opieaccess.so       no_warn allow_local
>auth            sufficient      pam_unix.so             no_warn try_first_=
pass
>auth            sufficient      /usr/local/lib/pam_sss.so              use=
_first_pass
>auth            required        pam_deny.so

Sorry for longer delay between replies.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-217415-13-LrP0Zq4TlI>