Bug 578463 - RFE: Authconfig should use the proxy provider for NIS and winbind
RFE: Authconfig should use the proxy provider for NIS and winbind
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2010-03-31 07:56 EDT by Stephen Gallagher
Modified: 2015-09-07 01:47 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stephen Gallagher 2010-03-31 07:56:21 EDT
Description of problem:
Right now, if NIS or Winbind are selected for , authconfig will use the traditional approach of configuring the service and adding it to nsswitch.conf.

With the SSSD available, it's preferable to take advantage of the id_provider=proxy setting instead. This allows these classic interfaces to take advantage of the SSSD's caching features.

The way this would work is that the NIS or winbind configuration would be set up exactly as usual, except that the configuration in nsswitch.conf would be different, and there would be an entry in sssd.conf.

nsswitch.conf (NIS example):

passwd files sss
group files sss
netgroup files nis
automount files nis
shadow files nis     (if the NIS password option is selected, sss otherwise)

Then sssd.conf would include:
id_provider = proxy
proxy_lib_name = nis

# For NIS password:
# No entries needed, since NIS uses shadow, as mentioned above

# Or Kerberos password:
auth_provider = krb5
chpass_provider = krb5
krb5_kdcip = kdc.example.com
krb5_realm = EXAMPLE.COM
krb5_kpasswd = kpasswd.example.com

nsswitch.conf (Winbind example):

passwd files sss
group files sss
shadow files sss
netgroup files winbind
automount files winbind

id_provider = proxy
proxy_lib_name = nis

auth_provider = proxy
proxy_pam_target = winbind

The proxy_pam_target is the name of a file in /etc/pam.d/<proxy_pam_target>. It should be a specialized PAM stack that calls the exact PAM modules necessary for authenticating winbind (Basically, it should consist of the entries that would previously have been added to system-auth-ac) This PAM stack is invoked by pam_sss.so, so it should not also be added to system-auth-ac.

auth     required pam_winbind.so
account  [default=bad success=ok user_unknown=ignore] pam_winbind.so
password required pam_winbind.so use_authtok
session  optional pam_winbind.so

Version-Release number of selected component (if applicable):

Note You need to log in before you can comment on or make changes to this bug.