> On 7 Dec 2021, at 00:22, Caderize Caderize <caderize@xxxxxxxxx> wrote: > > Hi William, > the pam, for users created manually is working fine to me. > The only problem is related to synced users from AD whch seems doesn't have all the necessary objectClasses. The issue is *not* related to objectClasses. As mentioned I reproduced your config and it worked for me, with an entry with the same objectClasses. > > However, this is ldapserver pam service: > # here are the per-package modules (the "Primary" block) > auth [success=2 default=ignore] pam_unix.so nullok > auth [success=1 default=ignore] pam_sss.so use_first_pass debug > # here's the fallback if no module succeeds > auth requisite pam_deny.so > # prime the stack with a positive return value if there isn't one already; > # this avoids us returning an error just because nothing sets a success code > # since the modules above will each just jump around > auth required pam_permit.so > # and here are more per-package modules (the "Additional" block) > # end of pam-auth-update config You need an "account" module section in your pam file here, else the pam_acct_mgmt step to allow the account will fail. That's likely your problem here. Second, you don't need pam_unix. I think your file should be. auth sufficent pam_sss.so use_first_pass ignore_unknown_user auth required pam_deny.so account sufficient pam_sss.so ignore_unknown_user account required pam_deny.so If that doesn't work, you need to add 'debug_log = 5' to [domain/lab.local] and nsslapd-errorlog-level 81920 to your directory server, and then provide the logs for an authentication from /var/log/dirsrv/slapd-instance/errors, and /var/log/sssd/sssd_lab.local.log Thanks, > > > and this is sssd.con file: > [sssd] > domains = lab.local > config_file_version = 2 > services = nss, pam > debug_level = 10 > > [domain/lab.local] > default_shell = /bin/bash > krb5_store_password_if_offline = True > cache_credentials = True > krb5_realm = LAB.LOCAL > realmd_tags = manages-system joined-with-adcli > id_provider = ad > fallback_homedir = /home/%u@%d > ad_domain = lab.local > use_fully_qualified_names = False > ldap_id_mapping = True > access_provider = ad > #enumerate = true > > auth_provider = ad > chpass_provider = ad > ldap_schema = ad > > dyndns_update = true > dyndns_refresh_interval = 43200 > dyndns_update_ptr = true > dyndns_ttl = 3600 > > Hope to have a soonest reply from you. > > Best Regards > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure -- Sincerely, William Brown Senior Software Engineer, Identity and Access Management SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
