Description of problem: sssd is available in el5.6 but the version of authconfig does not support configuring it. In ipa-client we call out to authconfig to handle the nss and pam configurations. If we include our own copy of authconfig 6.x in ipa-client we should be able to enable sssd that way.
Product Management has reviewed and declined this request. You may appeal this decision by reopening this request.
Tech note content taken from https://fedorahosted.org/sssd/wiki/HOWTO_Configure Configure NSS for fetching user and group information ¶ In order to configure your system to use sssd for user information, SSSD provides a new nss_sss NSS module. To use it, you need to configure NSS to use the sss name database along with the classic UNIX file database. Edit your /etc/nsswitch.conf: passwd: files sss group: files sss Configure PAM for authentication ¶ Configuring PAM should be done with extreme care. A mistake or typo in the PAM config file can lock you out of the system completely. Always backup your config files before doing any changes and keep a session open in order to be able to revert changes you do. Enable the use of the SSSD for PAM. If you are changing the default PAM config on Fedora, it should look like: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so Recent PAM implementations allow to include PAM configurations, e.g. ... session include system-auth session optional pam_console.so ... If you use includes please note that in the example above pam_console.so is not executed if a sufficient condition from system-auth returns PAM_SUCCESS. Some of the later examples use a proxy auth provider between pam_sss and other PAM modules using the pam-target configuration directive that references a file in /etc/pam.d. It is important not to include pam_sss.so modules in these proxied targets, otherwise the PAM stack may go into a loop.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: ipa-client The ipa-client package provides a tool to enroll a machine to an IPA server version 2, and is not backward compatible with version 1 of the server. ipa-client is considered a Technology Preview in Red Hat Enterprise Linux 5.6 Note, however that SSSD needs to be manually configured for use with IPA. Configuring NSS to fetch user and group information SSSD provides the nss_sss NSS module. To use this module, configure NSS to use the sss name database in addition to the UNIX file database. Edit /etc/nsswitch.conf, adding the following lines: passwd: files sss group: files sss Configuring PAM for authentication Errors when editing the PAM configuration file can lock you out of the system. Always back up the configuration file and keep another session open to revert changes if an error is made. Change the PAM config file to: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
The tech note might also want to mention that the PAM config file is a recommended configuration and not an exclusive one. Additionally, it's also possible (and maybe recommended) to have: session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so This version of the session stack includes pam_mkhomedir.so which will automatically create a home directory for an SSSD user upon their first login. This is useful for machines that will operate offline often (such as laptops), but is NOT recommended for machines that rely on NFS-connected home directories.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
Using: ipa-client-2.0-13.el5 Failed to verify. After the install, which had a failure (bug 704235), checked /etc/nssswitch.conf. This wasn't updated. Nor was /etc/sysconfig/authconfig. This still had USESSSDAUTH=no. sssd service wasn't running when install ended.
What command-line options did you pass to ipa-client-install? Can you attach /var/log/ipaclient-install.log?
Installed client as - ipa-client-install --domain=testrelm --realm=TESTRELM -p admin -w Secret123 attaching install log
Created attachment 498570 [details] ipaclient-install.log
You are unable to verify this because the other bug is blowing up the client installer. It isn't getting to the point where SSSD would be configured. This is fixed by the patch in BZ 704235.
verified using ipa-client-2.0-14.el5 verified updates in /etc/sssd/sssd.conf. /etc/nsswitch.conf, /etc/sysconfig/authconfig, /etc/pam.d/system-auth kinit as admin from client. then was able to use ssh to server machine, without being prompted for pwd...single sign on looked good.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0990.html