From LDAP to etc/passwd

Some time ago I wrote about how to set up LDAP authentication on a Fedora machine. In this piece I set out a procedure to roll it back and resume using old-style authentication from local files.

There is no book on this topic, and no chapter in the many manuals about system administration of Linux machines. The following is the product of trial, error and a lot of luck — together with a great volume of reading all those manuals to understand how things work.

Master sssd (System Security Serives Daemon). Documentation can be found in Chapter 9 of the Fedora Linux 17 System Administrator’s Guide. A reworking of the same material appears in chapter 12 of the Red Hat Enterprise Linux 6 Deployment Guide. The SSSD project documentation posted on the Fedora Hosted wiki site is another good source of information, including HowTos and FAQs.

Here are the steps:

1. Make sure sssd is shut down (“systemctl stop sssd”) and disabled (“systemctl disable sssd”). Delete /etc/sssd.conf.

2. Run authconfig-gtk and select “Local accounts only”. Hit “Apply”. This will generally make all the changes needed to reset system authentication.

Use “authconfig –test” to examine the resulting configuration. You may find that additional changes will have to be made.

If you prefer the command line, or don’t trust the gui (healthy skepticism about all admin scripts and tools is an essential quality for Fedora admins), run authconfig with the following parameters:

authconfig --disablesysnetauth \
--disablemkhomedir \
--disablekrb5 \
--disablekrb5kdcdns \
--disablekrb5realmdns \
--disableldap \
--disableldapauth \
--disableldaptls \
--updateall

Note: If you have enabled other sorts of auth, like Samba, Winbond or Active Directory integration you may need to add additional disable parameters. Keep checking the current configuration with “authconfig –test” and invoke “authconfig –help” to find the available options.

3. Restore /etc/pam.d/system-auth to its original configuration (to restore something as critical as a pam config file I recommend getting a known good working copy from a clean install — in my case a test virtual machine). When I compared mine with an unmodified copy the differences were inconsequential, but I replaced it anyway.

4. Go into /etc/krb5.conf and delete or comment out the following lines (for some reason authconfig in at least Fedora 20 will not do this for you):

 default_realm = #
 dns_lookup_kdc = true

5. Verify the current configuration with “authconfig –test”. If everything looks right, reboot.

6. Test logging in using the local security system (/etc/passwd). Run “authconfig –test” again to make sure the config is correct.

This entry was posted in Identity Management, Security, System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).