> Dag-Erling Smørgrav <d...@des.no> hat am 14. November 2016 um 10:26 > geschrieben: > > > Ronny Forberger <ronnyforber...@ronnyforberger.de> writes: > > # auth > > auth sufficient pam_opie.so no_warn no_fake_prompts > > auth requisite pam_opieaccess.so no_warn allow_local > > #auth sufficient pam_krb5.so no_warn try_first_pass > > #auth sufficient pam_ssh.so no_warn try_first_pass > > auth sufficient /usr/local/lib/pam_sss.so > > auth required pam_unix.so no_warn try_first_pass nullok > > I don't have the answer to your question, but I'd like to point out that > you don't need to include the full path to the module. PAM will look in > /usr/local/lib if it can't find the module in /usr/lib. You can even > leave out the .so suffix (since OpenPAM Nummularia / FreeBSD 9.3) ok > > Two other things: 1) make sure the service you're trying to use actually > uses the system policy or a policy that includes it (sshd doesn't) and I am using sudo with password and it should use the system policy.
> 2) if you add the "debug" keyword to every pam_sss line in your PAM > policy, OpenPAM will log every call to the pam_sss module, everything it > does on behalf of that module, and the outcome of the call through > syslog (by default, it should go to /var/log/debug.log). My /var/log/debug.log only says: Nov 13 17:31:59 macy sudo: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_authenticate(): authentication error Nov 13 17:32:01 macy su: in openpam_dispatch(): calling pam_sm_setcred() in /usr/local/lib/pam_sss.so Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_OLDAUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_set_data(): entering: 'pam_sss:fd_destructor' Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_setcred(): success What can be wrong? Best regards, Ronny > > DES > -- > Dag-Erling Smørgrav - d...@des.no > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org" ___________________________________ Ronny Forberger ronnyforberger at ronnyforberger.de PGP: http://www.ronnyforberger.de/pgp/email-encryption.html _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
