30.3.2. Configuring the PAM Service


Warning

A mistake in the PAM configuration file can lock users out of the system completely. Always back up the configuration files before performing any changes, and keep a session open so that any changes can be reverted.
SSSD provides a PAM module, sssd_pam, which instructs the system to use SSSD to retrieve user information. The PAM configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with PAM.
To configure the PAM service:
  1. The Authentication Configuration tool automatically writes to the /etc/pam.d/system-auth-ac file, which is symlinked to /etc/pam.d/system-auth. Any changes made to /etc/pam.d/system-auth are overwritten the next time that authconfig is run.
    So, remove the /etc/pam.d/system-auth symlink.
    [root@server ~]# rm /etc/pam.d/system-auth
    rm: remove symbolic link `/etc/pam.d/system-auth'? y
    Copy to Clipboard Toggle word wrap
  2. Create a new /etc/pam.d/system-auth-local file. One easy way to do this is simply to copy the /etc/pam.d/system-auth-ac file.
    [root@server ~]# cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-local
    Copy to Clipboard Toggle word wrap
  3. Create a new symlink between the /etc/pam.d/system-auth-local file and /etc/pam.d/system-auth.
    [root@server ~]# ln -s /etc/pam.d/system-auth-local /etc/pam.d/system-auth
    Copy to Clipboard Toggle word wrap
  4. Edit the /etc/pam.d/system-auth-local file, and add all of the SSSD modules to the PAM configuration:
    #%PAM-1.0
    ...
    auth        sufficient    pam_sss.so use_first_pass
    auth        required      pam_deny.so
    
    ...
    account [default=bad success=ok user_unknown=ignore] pam_sss.so
    account     required      pam_permit.so
    
    ...
    password    sufficient    pam_sss.so use_authtok
    password    required      pam_deny.so
    
    ...
    session     sufficient    pam_sss.so
    session     required      pam_unix.so
    Copy to Clipboard Toggle word wrap
    These modules can be set to include statements, as necessary.
  5. Open the sssd.conf file.
    # vim /etc/sssd/sssd.conf
    Copy to Clipboard Toggle word wrap
  6. Make sure that PAM is listed as one of the services that works with SSSD.
    [sssd]
    config_file_version = 2
    reconnection_retries = 3
    sbus_timeout = 30
    services = nss, pam
    Copy to Clipboard Toggle word wrap
  7. In the [pam] section, change any of the PAM parameters. These are listed in Table 30.2, “SSSD [pam] Configuration Parameters”.
    [pam]
    reconnection_retries = 3
    offline_credentials_expiration = 2
    offline_failed_login_attempts = 3
    offline_failed_login_delay = 5
    Copy to Clipboard Toggle word wrap
  8. Restart SSSD.
    [root@server ~]# service sssd restart
    Copy to Clipboard Toggle word wrap
Expand
Table 30.2. SSSD [pam] Configuration Parameters
Parameter Value Format Description
offline_credentials_expiration integer Sets how long, in days, to allow cached logins if the authentication provider is offline. This value is measured from the last successful online login. If not specified, this defaults to zero (0), which is unlimited.
offline_failed_login_attempts integer Sets how many failed login attempts are allowed if the authentication provider is offline. If not specified, this defaults to zero (0), which is unlimited.
offline_failed_login_delay integer Sets how long to prevent login attempts if a user hits the failed login attempt limit. If set to zero (0), the user cannot authenticate while the provider is offline once he hits the failed attempt limit. Only a successful online authentication can re-enable offline authentication. If not specified, this defaults to five (5).
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat