reverse engineering authentication in a corporate environment

Squantum entangled sudokuo I find myself needing to configure (mostly linux) servers for authentication and access. For about a year no one has been able or willing to tell me how the systems I’m supposed to connect are configured, but I’ve eventually managed to score the kickstart script they use – which concatenates some config into sssd.conf and pam.conf… A lot of it is clearly redundant defaults. It’s also clear there is no coherent understanding of how it’s configured or why – I suspect the people/person who wrote the script knows, but they are being particularly non-communicative – like it’s not their problem…

I could let it stand and just do it their way… but where is the fun in that.

Hopefully by the end of this process I’ll be able to write a nice post about how the various components interoperate….

So. Let’s start. What I do know is we use Microsoft based AD. We can’t use that because of poor design – so all the Unix configuration has been carved out and pointed to a linux LDAP server instead – we use that. wrinkles, sure, but I’m not going to make any headway telling them they need to fix their AD… they know and are paralysed.

OS is Centos 7, for reasons.

There are 3 things I need to configure – authentication, access and auditing – AAA. Lets leave auditing off for the moment…

there are 4 tools I need to configure.

PAM – Plugin Authentication Module




PAM is an authentication and access proxy – the server uses it to find out what to do – which application manages what service and under what circumstances access is provided. It’s the traffic cop. It’s deceptively powerful – you end up with a decision tree for each requirement.

kerberos is a secure authentication over insecure networks and devices service. In many ways we just need to know what the other end uses and configure it appropriately. If we were designing from scratch, there is more detail required, but for now… this bit is relatively straightforward.  PAM will direct to kerberos – but kerberos is not “PAM aware”

sssd and nssd both – as far as I can tell – act in similar ways – why we have to configure both – no idea yet. This is where ldap is set up


PAM says use kerberos for authentication.

PAM says use sssd for access and ID

PAM says use sssd for authentication updates – (change password etc)

now what…

I’m beginning to suspect that nssd is not actually required. it’s been superseded by sssd. I will need to confirm if there is ANY unique config in it that isn’t achievable by sssd. One less thing to go wrong.

minor breakthrough…
points out that PAM provides AAA options PER SERVICE… which explains why you end up with so many different tools being used…