Getting Start 
- getent shadow が使えなくても,認証可能!
設定ファイル
- authconfig, authconfig-uti コマンドでデフォルトの設定ファイルを用意してくくれる
- CentOS8 では authselect になった. authconfig-uti は削除.
- # authselect select sssd
- /etc/sssd/sssd.conf (-rw------- 1 root root)
- /etc/nsswitch.conf
- sss を追加
- /etc/pam.d/*
- /etc/sysconfig/authconfig
- 手動:SSSD関連を yes, LDAP関連を no (手動は意味ないかも知れない.ない気がする.参考程度に記す)
- 手動:SSSD関連を yes, LDAP関連を no (手動は意味ないかも知れない.ない気がする.参考程度に記す)
起動
- # systemctl start sssd
全キャッシュのクリア
- # systemctl stop sssd
- # \rm /var/lib/sss/db/*
- # systemctl start sssd
検証
- 要 sssd-tools
# sssctl domain-status default
system-auth
auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
password-auth
auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
Counter: 842,
today: 1,
yesterday: 1
Last-modified: 2021-07-05 (Mon) 10:55:33 (JST) (1457d) by iseki
