Join Log in
Score:0
avatar Server

Using shadow password from LDAP while using SSSD for identity

co flag
viraptor

I'd like to use SSSD ldap as a provider for shadow entries. It seems to be supported, given the default config with sssd installed adds sss to both passwd and shadow in nsswitch.conf, but I can't get the shadow entries.

Testing getent passwd myuser gives me the right result. getent shadow myuser returns nothing immediately (seems to not check with sssd at all).

The shadow entry does exist in LDAP and sssd seems aware of it, since I see this in the logs:

[sdap_attrs_add_ldap_attr] (0x2000): [RID#4] Adding pwdAttribute [....] to attributes of [myuser@domain].

Unfortunately it doesn't seem to be ever used.

To prevent trying authentication through LDAP bind, I'm using:

id_provider=ldap
auth_provider=none

Unfortunately only results in:

(2023-08-11  7:04:03): [be[okta]] [dp_pam_handler_send] (0x0100): Got request with the following data
(2023-08-11  7:04:03): [be[okta]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(2023-08-11  7:04:03): [be[okta]] [pam_print_data] (0x0100): domain: domain
(2023-08-11  7:04:03): [be[okta]] [pam_print_data] (0x0100): user: myuser@domain
(2023-08-11  7:04:03): [be[okta]] [pam_print_data] (0x0100): service: sudo-i
(2023-08-11  7:04:03): [be[okta]] [pam_print_data] (0x0100): tty: /dev/pts/3
(2023-08-11  7:04:03): [be[okta]] [pam_print_data] (0x0100): ruser: myuser
(2023-08-11  7:04:03): [be[okta]] [pam_print_data] (0x0100): rhost: 
(2023-08-11  7:04:03): [be[okta]] [pam_print_data] (0x0100): authtok type: 1 (Password)
(2023-08-11  7:04:03): [be[okta]] [pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available)
(2023-08-11  7:04:03): [be[okta]] [pam_print_data] (0x0100): priv: 1
(2023-08-11  7:04:03): [be[okta]] [pam_print_data] (0x0100): cli_pid: 2368059
(2023-08-11  7:04:03): [be[okta]] [pam_print_data] (0x0100): logon name: not set
(2023-08-11  7:04:03): [be[okta]] [pam_print_data] (0x0100): flags: 0
(2023-08-11  7:04:03): [be[okta]] [dp_attach_req] (0x0400): [RID#5] DP Request [PAM Authenticate #5]: REQ_TRACE: New request. [sssd.pam CID #1] Flags [0000].
(2023-08-11  7:04:03): [be[okta]] [dp_attach_req] (0x0400): [RID#5] Number of active DP request: 1
(2023-08-11  7:04:03): [be[okta]] [dp_find_method] (0x0100): [RID#5] Target [auth] is not initialized
(2023-08-11  7:04:03): [be[okta]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #5]: Receiving request data.
(2023-08-11  7:04:03): [be[okta]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #5]: Request removed.
(2023-08-11  7:04:03): [be[okta]] [dp_req_destructor] (0x0400): Number of active DP request: 0
(2023-08-11  7:04:03): [be[okta]] [sbus_issue_request_done] (0x0200): sssd.dataprovider.pamHandler: Error [1432158215]: DP target is not configured

What configuration am I missing to expose the user attributes as a standard shadow database?

20
0 + 0
pam
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.