Add user entry in linux with SSSD

pratik · 25 October 2021 11:15

Continuing this thread https:// bbs.archlinux .org /viewtopic.php?pid=1999422#p1999422 here

Question: I want to add SSSD LDAP user’s entry in Linux when they first time login because I want every user to be sudoer.

Setup: using SSSD with LDAP, putting my SSSD and PAM config below if it helps.

/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = MYDOMAIN

[domain/MYDOMAIN]
#cache_credentials = true
debug_level = 5
enumerate = false
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldaps://xxxxx
ldap_search_base = xxxxxx
ldap_default_bind_dn = xxxx
ldap_group_search_base = cn=groups,xxxxxx
ldap_default_authtok_type = password
ldap_default_authtok = xxxxx
sudo_provider = none
ldap_schema = rfc2307
ldap_tls_reqcert = allow
ldap_access_order = filter
ldap_access_filter = memberOf=cn=member,cn=groups,xxxxxx

ldap_referrals = false

/etc/pam.d/system.auth

#%PAM-1.0

auth       sufficient                  pam_sss.so           forward_pass
auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok
-auth      [success=1 default=ignore]  pam_systemd_home.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

account    [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

password   sufficient                  pam_sss.so           use_authtok
-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow sha512
password   optional                    pam_permit.so

session    required                    pam_mkhomedir.so     skel=/etc/skel/ umask=0077
session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_sss.so
session    optional                    pam_permit.so

/etc/pam.d/su

#%PAM-1.0
auth		sufficient	pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth		sufficient	pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth		required	pam_wheel.so use_uid
auth sufficient   pam_sss.so      forward_pass
auth		required	pam_unix.soaccount

account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
account		required	pam_unix.so

session		required	pam_unix.so
session optional pam_sss.so

NOTE: Added pam_sss config earlier in /etc/pam.d/sudo, which was causing 2 time sudo password prompt and as per arch thread it’s unnecessary to configure sudo because it will inherit and uses system-auth so removed it. Just putting it for heads up.

#%PAM-1.0
auth           sufficient      pam_sss.so
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_deny.so
auth		include		system-auth
account		include		system-auth
session		include		system-auth

pratik · 28 October 2021 05:34

I solved it by forward_pass which will pass password to unix in /etc/pam.d/sudo

#%PAM-1.0
auth           sufficient      pam_sss.so forward_pass
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_deny.so
auth		include		system-auth
account		include		system-auth
session		include		system-auth

system · 30 October 2021 19:35

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.