0

I'm trying to match a FreeIPA user to a local group via FreeIPA group membership. When testing the manual edit of common-auth it works. But I'm trying to generate the file with pam-auth-update so that it won't break after an upgrade of something at some point.

What I've done so far:

  1. Added a group mapping, which adds users belonging to FreeIPA group service-admin to local group service.

sudo vi /etc/security/group.conf

*;*;%service-admin;Al0000-2400;service
  1. Create a pam-config file.

sudo vi /usr/share/pam-configs/group

Name: Activate /etc/security/group.conf
Default: yes
Priority: 512

Auth-Type: Primary 
Auth-Final:
    [success=end default=ignore]    pam_group.so nullok try_first_pass
Auth-Initial:
    [success=end default=ignore]    pam_group.so nullok
  1. Re-generate the common-auth file:

sudo pam-auth-update

But sadly it doesn't add the line auth [success=3 default=ignore] pam_group.so nullok to /etc/pam.d/common-auth.

[...]
# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_unix.so nullok
auth    [success=1 default=ignore]      pam_sss.so use_first_pass
[...]

No errors are shown, so I'm not sure how to debug this.

dmgeurts
  • 13
  • 4
  • Is this an example of an X/Y problem? The way I solved this was I changed the gid of my groups (including native Debian ones like netdev, audio, video) to the gid from my domain. After a reboot, my domain users who are members of domain group audio, can access the audio of the local Debian system. – bgStack15 Jul 14 '22 at 23:48
  • I don't think so, the thing is it works if I edit common-auth manually. But I can't successfully edit common-auth by using pam-auth-update. My concern is breaking the manual edit in a couple of months' time by me or another sysadmin using pam-auth-update on this host. – dmgeurts Jul 16 '22 at 00:04

0 Answers0