Description of problem: Right now, if NIS or Winbind are selected for , authconfig will use the traditional approach of configuring the service and adding it to nsswitch.conf. With the SSSD available, it's preferable to take advantage of the id_provider=proxy setting instead. This allows these classic interfaces to take advantage of the SSSD's caching features. The way this would work is that the NIS or winbind configuration would be set up exactly as usual, except that the configuration in nsswitch.conf would be different, and there would be an entry in sssd.conf. nsswitch.conf (NIS example): passwd files sss group files sss netgroup files nis automount files nis shadow files nis (if the NIS password option is selected, sss otherwise) Then sssd.conf would include: [domain/default] id_provider = proxy proxy_lib_name = nis # For NIS password: # No entries needed, since NIS uses shadow, as mentioned above # Or Kerberos password: auth_provider = krb5 chpass_provider = krb5 krb5_kdcip = kdc.example.com krb5_realm = EXAMPLE.COM krb5_kpasswd = kpasswd.example.com nsswitch.conf (Winbind example): passwd files sss group files sss shadow files sss netgroup files winbind automount files winbind sssd.conf: [domain/default] id_provider = proxy proxy_lib_name = nis auth_provider = proxy proxy_pam_target = winbind The proxy_pam_target is the name of a file in /etc/pam.d/<proxy_pam_target>. It should be a specialized PAM stack that calls the exact PAM modules necessary for authenticating winbind (Basically, it should consist of the entries that would previously have been added to system-auth-ac) This PAM stack is invoked by pam_sss.so, so it should not also be added to system-auth-ac. e.g. /etc/pam.d/winbind: auth required pam_winbind.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so password required pam_winbind.so use_authtok session optional pam_winbind.so Version-Release number of selected component (if applicable): authconfig-6.1.2-1.fc13
This package has changed maintainer in the Fedora. Reassigning to the new maintainer of this component.
Authconfig has been replaced by authselect.