On Mon, Aug 21, 2017 at 02:53:39PM -0400, Louis Garcia wrote: > On Mon, Aug 21, 2017 at 3:22 AM, Lukas Slebodnik <lsleb...@redhat.com> > wrote: > > > On (19/08/17 14:45), Louis Garcia wrote: > > >On Sat, Aug 19, 2017 at 5:01 AM, Lukas Slebodnik <lsleb...@redhat.com> > > >wrote: > > > > > >> On (19/08/17 10:57), Lukas Slebodnik wrote: > > >> >I think it would be better to start from scratch: > > >> > > >You did tell me that I was not hitting that RH bug. Sorry. > > > > > > > > >> > > > >> >Please answer to following question: > > >> >Is your local password the same as kerberos password? > > >> > > >Yes > > > > > > > And this is the main problem why it does not work for you. > > > > Because pam_unix will be used as the first one. > > And I would not recommend to change order of modules pam stack manually. > > > > Your local account should have different password or should not have > > password > > at all. Otherwise such setup will not work for you. > > > > LS > > > > Hey we are finally getting somewhere. > > If I delete my local account I can't login at all. I added my local account > back but with no password and I was able to login and get my kerberos > ticket. > > So with this setup I still need a local account an every box I use, with no > password or different then the kerberos one? > I thought I could centrally > manage my user accounts and passwords with kerberos?
Well, kerberos doesn't provide an OS-level identity. So even with Kerberos, you still need some entity that defines the username, the UID, GID, shell etc. Here it's a line in /etc/passwd, with IPA it would be an entry with LDAP. Then you need a way to map the Kerberos principals to these identities, often as easy as saying "OS-level username + REALM name = Kerberos principal". > > Do I need something like freeipa? Might be a bit out bounds for this list. > Thank you for your help. It really depends on your use-case. I think the user in files + Kerberos authentication is fine for a single workstation, but for multiple machines, I would go with the FreeIPA/AD/whatever route. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org