Re: eduroaming pam_sss issues

To: debian-edu@lists.debian.org
Subject: Re: eduroaming pam_sss issues
From: Giorgio Pioda <gfwp@ticino.com>
Date: Sun, 26 May 2013 11:28:43 +0200
Message-id: <[🔎] 20130526092843.GB9147@ticino.com>
In-reply-to: <[🔎] 20130526082341.GA19033@fuzi>
References: <[🔎] 20130525130957.GA6753@ticino.com> <[🔎] 2fltxlryssv.fsf@diskless.uio.no> <[🔎] 20130526074317.GA8265@ticino.com> <[🔎] 20130526082341.GA19033@fuzi>

Hi Andy,

On Sun, May 26, 2013 at 10:23:41AM +0200, Andreas B. Mundt wrote:
> Hi Giorgio,
> 
> On Sun, May 26, 2013 at 09:43:17AM +0200, Giorgio Pioda wrote:
> > On Sat, May 25, 2013 at 05:37:20PM +0200, Petter Reinholdtsen wrote:
> > > >
> > > > pam_acct_mgmt: Authentication failure
> > > >
> > > > But actually sssd works, krb5 tickets are OK and right before this message
> > > > pam_sss claims a successful authentication.
> > > >
> > > > Any clues?
> > >
> 
> The only problem I had was when /etc/nsswitch.conf was missing the
> 'sss'.  In addition you might want to check with 'pam-auth-update'
> what authentication mechanisms you would like to allow.  I have only
> 'Unix' and 'SSS' installed and therefore available, and this seems to
> work fine.
> 
> [...]
> 
> >
> > Sssd seems to work properly. Ubuntu's pam_mklocaluser is still not working correctly,
> > (even in Ubuntu 13.04, even using the fixed Wheezy package) and homedirs
> > are not created automatically.
> >
> 
> Note that pam_mklocaluser is not necessarily needed.  If you have home
> directories available for off-line use (which can be created with
> pretty easily during login [1]), there is no need to 'recreate' the users
> locally.
> 
> Best regards,
> 
>      Andi
> 
> [1] Add 'session required  pam_mkhomedir.so skel=/etc/skel umask=0027'
>     to /etc/pam.d/common-session
>     However this only creates the directories when no NFS-homedirs are
>     availabel.  To create the directories in any login, I use
>     libpam-script
>     (Cf. http://anonscm.debian.org/gitweb/?p=collab-maint/debian-lan.git;a=blob;f=fai/config/scripts/ROAMING/10-home_nfs4_krb5;h=9b6b6d3749483b6ff9bfd207f21f5a8698019d46;hb=0600527f83621ba2a09fd3346ea23f2fe5884f77)

Thanks. Disabling mklocalusers (and all the rest) and keeping only Unix and SSS fixes the
login. But then the problem relies in the fact that the sss users expect a homedir
in /skole/tjener/..  and not in /home/..

Indeed this is a pam_mklocaluser problem. The package in Ubuntu is broken (in several
releases)

-- 
Sysadmin SPSE-Tenero
Ufficio:   +41 91 735 62 48 
Cellulare: +41 79 629 20 63

Reply to:

Follow-Ups:
- Re: eduroaming pam_sss issues
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: eduroaming pam_sss issues
  - From: "Andreas B. Mundt" <andi.mundt@web.de>

References:
- eduroaming pam_sss issues
  - From: Giorgio Pioda <gfwp@ticino.com>
- Re: eduroaming pam_sss issues
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: eduroaming pam_sss issues
  - From: Giorgio Pioda <gfwp@ticino.com>
- Re: eduroaming pam_sss issues
  - From: "Andreas B. Mundt" <andi.mundt@web.de>

Prev by Date: Re: eduroaming pam_sss issues
Next by Date: Re: eduroaming pam_sss issues
Previous by thread: Re: eduroaming pam_sss issues
Next by thread: Re: eduroaming pam_sss issues
Index(es):
- Date
- Thread