[CentOS] SSSD and usermod

Mon Jan 6 15:02:57 UTC 2014
Dimitar Georgievski <mitkany at gmail.com>

Hi MItja,

it looks like you are trying to integrate SSSD with FreeIPA. I think the
following presentation will help you review the SSSD configuration even if
you are trying to use 389DS independently:
http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

Check the page titled " Example configuration - SSSD with FreeIPA server".
SSSD has to be configured to talk to LDAP server. Check also the settings
in /etc/nsswitch.conf. You might need to modify it to enable SSSD
integration with other services.

This example comes from a host that is using SSSD for SSH authentication
and sudo integration with a FreeIPA server:
passwd:     files sss
shadow:     files sss
group:      files sss
sudoers:    files sss

Dimitar


On Fri, Jan 3, 2014 at 10:17 AM, Mitja Mihelič <mitja.mihelic at arnes.si>wrote:

> Hi!
>
> How to get usermod working with SSSD/389DS ?
>
> We have SSSD set up on our server and it uses 389DS.
> SSSD was enabled with the following command:
> authconfig --enablesssd --enablesssdauth --ldapbasedn=dc=example,dc=com
> --enableshadow --enablemkhomedir --enablelocauthorize --update
>
> Running for example "usermod -L username" returns:
> usermod: user 'username' does not exist in /etc/passwd
>
> Each time usermod is executed there is a query logged in 389DS, so SSSD
> does pass the request to 389DS.
> Strace (attached) of usermod shows that it gets at least gecos back from
> SSSD and that it checked the /var/lib/sss/mc/passwd file which contains:
> username
> Name Lastname
> /home/username
> /bin/bash
>
> Soon after that it starts to open /etc/shadow and /etc/passwd.
>
> What are we missing?
> Any insight would be appreciated.
>
> Regards, Mitja
>
> --
> --
> Mitja Mihelič
> ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
> tel: +386 1 479 8877, fax: +386 1 479 88 78
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>