How to get rid of sssd

I’ve had so much trouble getting LDAP authentication to work that I’m reverting to NIS.

I’ve set up the NIS server and I’ve got NIS authentication to work just fine in a vm which has openSUSE 13.2 on it and has never been configured for LDAP.

My main workstation has been configured (or at least I attempted to be configure) to use LDAP for authentication and has sssd running. I don’t know if it’s sssd and my failed attempts to get LDAP working that’s causing the problem but trying to log in as a NIS user fails to validate the password with “Authentication service cannot retrieve authentication info”.

Examining the working vm shows sssd as** not** configured whereas the workstation shows sssd as configured even though I’ve deleted the domain I tried to set up.

What can I do to get the workstation showing sssd not configured?

If ldap/sssd are no longer required on the workstation, perhaps just remove the sssd package entirely?

In the end I used journalctl to find out that pam_sssd was the problem so I used grep to find instances in /etc/pam.d and then edited all the pam files on the workstation to match the files in the (working) vm.

  • common-account -> common-account-pc
  • common-auth -> common-auth-pc
  • common-password -> common-password-pc
  • common-session -> common-session-pc

Not very neat, I know, but it did work.

Following the comment from** LewsTherinTelemon** I re-installed the pam files - yes, I did back them up first :slight_smile: - and uninstalled sssd_ldap which is a much neater solution.

I just deleted sssd_ldap as I’m not sure if other parts of sssd are used elsewhere and that seems to have done the trick - Thanks

fudokai,

I have been using LDAP here for years. Only tried to use SSSD once. When I saw that you could not configure which branches to use in LDAP for passwd shadow group hosts, I switched back to normal LDAP.

If you still which to use LDAP I can help you set it up.

You will need to install nss_ldap and pam_ldap. You will have to configure manually as the YaST GUI stop supporting this around 11.4 I think.

/etc/ldap.conf


Atlas:~ # grep -v '^#' /etc/ldap.conf |sed -e '/^\s*$/d'
host 127.0.0.1
base dc=CTL,dc=CrewSystems
bind_policy soft
pam_lookup_policy yes
pam_password exop
nss_initgroups_ignoreusers root,ldap
nss_schema rfc2307bis
nss_base_passwd ou=People,dc=CTL,dc=CrewSystems?one
nss_base_shadow ou=People,dc=CTL,dc=CrewSystems?one
nss_base_group          ou=Group,dc=CTL,dc=CrewSystems?one
nss_base_hosts          ou=Hosts,dc=CTL,dc=CrewSystems?one
nss_map_attribute uniqueMember member

/etc/nsswitch.conf


Atlas:~ # grep -i ldap /etc/nsswitch.conf 
passwd: files ldap
group:  files ldap
hosts:          files ldap dns

Enable PAM for LDAP


pam-config -a --ldap

The only problem I have is that getent does not show any IPv6 host info, But this is with both /etc/hosts and LDAP. So it is not problem with LDAP.

https://forums.opensuse.org/showthread.php/514163-Problem-showing-and-resloving-IPv6-host-info-in-etc-hosts-and-LDAP?p=2757914#post2757914

Dave W

Thanks for your time & input. I had LDAP authentication working just fine under 13.1 using the YaST ldap_client module which has been dropped from 13.2 for some reason. I had to rebuild the workstation after a HDD died so I was re-installing 13.2 from scratch (rather than just an upgrade as before) and just couldn’t get it to work. I could get the LDAP browser to connect fine, just no authentication :frowning:

I originally started using LDAP to learn about it and up the old skill set. Now that I’m a retired geriatric, the skill set is moot and I just want to get something to work ;).

I’m running a small mixed home system and NIS will be fine for the *nix boxes and I can use Samba for the Windoze stuff so I’ll give up on LDAP and live with NIS.

fudokai,

You are welcome. I would agree that for home use NIS would be enough and not as difficult to setup. The yast2 package was not dropped in 13.2 it was renamed to yast-auth-client and yast-auth-server.

I do wish that YaST2 would have better LDAP support like create the Base DN when it creates the database. If it was not for phpldapadmin I might not be using LDAP today. On first use it said that there was not a base DN do want me to create it?

Dave W

fudokai,
Firstly, I would love to have helped you set up the SSSD, but I’ll focus on the manual removal to assist as requested.

  1. pam-config --delete --sss

Modifying the PAM files manually is not recommended, let pam-config do it for you.

  1. remove “sss” references from the /etc/nsswitch.conf file

  2. uninstall the sssd packages.

Use YaST to configure your desired authentication service.

– lawrence

– lawrence