So we're creating a new RHEL 7 build, we have quite a large existing estate managed (mostly) by puppet which includes access.conf, sudoers and the odd bit of tcpwrappers etc... we've upgraded puppet so it now works across all our estate and hence for consistency and compliance reasons (it's very easy to just send the puppet rules to the auditors) we'd like to continue using puppet to write our access.conf files rather than switching it to produce something else like say an sssd.conf with simple access rules.

We have PAM sssd.conf currently doing IDs and auth against LDAP but as there's no auth config in LDAP I'd like to switch SSSD back to authenticating against the local access.conf written by puppet. Having looked around at the documentation there's no explicit example of this? It seems I can set SSSD to proxy to a PAM target (but not system-auth as that will cause a loop?) or use SSSD in PAM? What's the "correct" (secure, efficient and simplest)/definitive way of achieving this? I assume I'm supposed to write a new PAM target that refers only to pam_unix etc... and not loop back around to sssd as system-auth would currently? Obviously I'd like to double check this because there's probably enough badly written PAM configurations out there already. :^)

My current configuration (obviously wrong ATM) is...

[root@REDACTED ~]# cat /etc/sssd/sssd.conf
[domain/default]
ldap_default_authtok = REDACTED
ldap_default_authtok_type = REDACTED
ldap_default_bind_dn = REDACTED
ldap_schema = REDACTED
ldap_search_base = REDACTED
id_provider = ldap
auth_provider = ldap
#auth_provider = proxy 
#proxy_pam_target = sssdpamproxy
chpass_provider = ldap

ldap_uri = REDACTED,REDACTED
ldap_id_use_start_tls = True
cache_credentials = True
ldap_tls_cacertdir = /etc/pki/tls/certs/

[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]
homedir_substring = /home
filter_users = root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
reconnection_retries = 3

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[root@REDACTED ~]# cat /etc/security/access.conf
# THIS FILE IS MAINTAINED BY PUPPET.
# 10-root
+ : root : LOCAL

+ : matherp : ALL

# 99-disable-everyone-else
- : ALL : ALL

[root@REDACTED ~]# cat /etc/nsswitch.conf
# THIS FILE IS MAINTAINED BY PUPPET.
passwd:     files sss
shadow:     files sss
group:      files sss
hosts:      files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss
netgroup:   files sss
publickey:  nisplus
automount:  files sss
aliases:    files nisplus

[root@REDACTED ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

When I login ATM this results in...

May 21 09:25:45 REDACTED sshd[6753]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=REDACTED  user=matherp
May 21 09:25:45 REDACTED sshd[6753]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=REDACTED user=matherp
May 21 09:25:45 REDACTED sshd[6753]: Accepted password for matherp from REDACTED port 34314 ssh2
May 21 09:25:46 REDACTED systemd-logind[826]: New session 142 of user matherp.
May 21 09:25:46 REDACTED systemd[1]: Starting Session 142 of user matherp.
May 21 09:25:46 REDACTED systemd[1]: Started Session 142 of user matherp.
May 21 09:25:46 REDACTED sshd[6753]: pam_unix(sshd:session): session opened for user matherp by (uid=0)