In our current RHEL5 deployment, we use pam_listfile to control access
to our servers. While I was putting together our sss config for RHEL6, I
initially thought I could use the simple access provider to replace it.
However, we have both central accounts as well as local service accounts
on some servers. While we try to avoid scenarios where a local service
account needs to log in directly, in some cases it is unavoidable and as
such some of them exist in our pam_listfile configuration.
The sss pam provider always returns user unknown for these local users
in the account module, never getting to the access control. I would
consider it useful for the simple access provider to be able to control
access based on the allow/deny lists for users that aren't part of any
sss domain, without that capability it cannot replace pam_listfile. I
took a look, and unfortunately making such a change seems far from
trivial 8-/.
What are thoughts on such functionality? From a design perspective, do
you prefer that this access control mechanism only function with sss
domain users? From an abstract perspective, it could easily process
allow/deny for users that it doesn't know about. Groups, OTOH, would be
more problematic. I think all of our current pam_listfile configuration
for local accounts is based on users though.
The other option I considered was adding a second sss domain that
proxied nss_files such that sss was aware of local users. This seemed a
bit kludgy, more so than just continuing to use pam_listfile, which is
what we ended up doing.
Thanks...
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
