On 03/20/2014 07:14 PM, kevin sullivan wrote:
Lukas,
Thanks for your input. I can't reproduce what I was seeing right now,
so I can't send you my log files because I deleted them earlier to
make issues easier to find (which in retrospect was dumb). But just to
explain what I was talking about earlier, below are some more
explanations.
>Do users from /etc/passwd have the same uid/name as user from LDAP?
Yes they can.
>I do not really understand what do you mean by "revert to local
accounts if my
> ldap server is down."
What I mean is that I only want accounts from the LDAP server to be
used when LDAP is up. So I would store root and all other system users
in LDAP. If my LDAP server is online, I only want users to
authenticate through LDAP, no local logins. The only time I want local
accounts is if the LDAP server is no longer responsive.
>SSSD caches all information about authenticated users.
>It will be possible to authenticate even if LDAP server is down.
I don't know if I want to rely on caching as it depends on actually
having to login as that user in the first place. This leads to
inconsistency and hard to reproduce issues.
So you put all users and even root into the central server?
This is usually not the best idea.
You still need to have some system accounts that are local.
The recommendation is to have system accounts that are related to the
installed software and root in /etc/passwd and then the rest in the LDAP.
You authenticate with locally with local accounts and central accounts
can be cached by SSSD.
It is up to you where you draw the line between local accounts and
central accounts but moving everything including root seems to me to be
too much.
Thanks again for your help.
Kevin
On Tue, Mar 18, 2014 at 6:25 PM, Lukas Slebodnik <lsleb...@redhat.com
<mailto:lsleb...@redhat.com>> wrote:
On (18/03/14 17:42), kevin sullivan wrote:
>Lukas,
>
>Thank you for your quick response.
>
>>You can use authconfig to configure pam-stack and nsswitch on
CentOS/Fedora
>>
>>This is part of my /etc/pam.d/password-auth
>>----------------------------------------------------------------------
>>auth required pam_env.so
>>auth sufficient pam_unix.so try_first_pass nullok
>>auth requisite pam_succeed_if.so uid >= 1000
quiet_success
>>auth sufficient pam_sss.so use_first_pass
>>auth required pam_deny.so
You wrote in the 1st mail:
>I only want to use the local Unix accounts (/etc/passwd and
/etc/shadow)
>if my LDAP server is offline.
Do users from /etc/passwd have the same uid/name as user from LDAP?
>Won't this allow local accounts before network accounts? I only
want to
>revert to local accounts if my ldap server is down.
>
Yes, local accounts have higher priority with this pam configuration.
I do not really understand what do you mean by "revert to local
accounts if my
ldap server is down."
SSSD caches all information about authenticated users.
It will be possible to authenticate even if LDAP server is down.
LS
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
<mailto:sssd-users@lists.fedorahosted.org>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
