Red Hat Summit30.3.2. Configuring the PAM Service
Warning
A mistake in the PAM configuration file can lock users out of the system completely. Always back up the configuration files before performing any changes, and keep a session open so that any changes can be reverted.
SSSD provides a PAM module,
sssd_pam, which instructs the system to use SSSD to retrieve user information. The PAM configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with PAM.
To configure the PAM service:
- The Authentication Configuration tool automatically writes to the
/etc/pam.d/system-auth-acfile, which is symlinked to/etc/pam.d/system-auth. Any changes made to/etc/pam.d/system-authare overwritten the next time thatauthconfigis run.So, remove the/etc/pam.d/system-authsymlink.rm /etc/pam.d/system-auth
[root@server ~]# rm /etc/pam.d/system-auth rm: remove symbolic link `/etc/pam.d/system-auth'? yCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Create a new
/etc/pam.d/system-auth-localfile. One easy way to do this is simply to copy the/etc/pam.d/system-auth-acfile.cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-local
[root@server ~]# cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-localCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Create a new symlink between the
/etc/pam.d/system-auth-localfile and/etc/pam.d/system-auth.ln -s /etc/pam.d/system-auth-local /etc/pam.d/system-auth
[root@server ~]# ln -s /etc/pam.d/system-auth-local /etc/pam.d/system-authCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Edit the
/etc/pam.d/system-auth-localfile, and add all of the SSSD modules to the PAM configuration:Copy to Clipboard Copied! Toggle word wrap Toggle overflow These modules can be set toincludestatements, as necessary. - Open the
sssd.conffile.vim /etc/sssd/sssd.conf
# vim /etc/sssd/sssd.confCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Make sure that PAM is listed as one of the services that works with SSSD.
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pamCopy to Clipboard Copied! Toggle word wrap Toggle overflow - In the
[pam]section, change any of the PAM parameters. These are listed in Table 30.2, “SSSD [pam] Configuration Parameters”.[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Restart SSSD.
service sssd restart
[root@server ~]# service sssd restartCopy to Clipboard Copied! Toggle word wrap Toggle overflow
| Parameter | Value Format | Description |
|---|---|---|
| offline_credentials_expiration | integer | Sets how long, in days, to allow cached logins if the authentication provider is offline. This value is measured from the last successful online login. If not specified, this defaults to zero (0), which is unlimited. |
| offline_failed_login_attempts | integer | Sets how many failed login attempts are allowed if the authentication provider is offline. If not specified, this defaults to zero (0), which is unlimited. |
| offline_failed_login_delay | integer | Sets how long to prevent login attempts if a user hits the failed login attempt limit. If set to zero (0), the user cannot authenticate while the provider is offline once he hits the failed attempt limit. Only a successful online authentication can re-enable offline authentication. If not specified, this defaults to five (5). |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}