admin9 (RSA) to rsaSFDCadmin (RSA): asked a question.

September 18, 2023 at 9:26 AM
PAM Agent on RHEL8 Systems attached to AD and Secure ID
Dear all
We use the PAM Agent with RSA Secure ID with OL7 systems with local linux
users. (works fine).
Now we building up a new environment with RHEL8 systems which are attached to
an AD (over sssd).
Does the PAM Agent support such an environment?
Users in AD and RSA secure ID login over ssh?

man thanks in advance

regards
Joe
  • 1 answer
  • 642 views

  • EricaChalfin (RSA)

    [@joe-gaechter](https://community.rsa.com/t5/user/viewprofilepage/user-
    id/125201),

    Thank you for your question about the PAM agent. I've moved your post to the
    SecurID community where it will be seen by members of our Support,
    Professional Services and Engineering teams, as well as by other SecurID
    users.

    What you are asking about is module stacking. If the agent is working for your
    local users then we are not responsible for getting stacking to work as we do
    not support the AD portion of your question. PAM and AM are not aware of
    whether or not RHEL is joined to your AD domain, but you can configure things.
    For example,

    * If RHEL needs the UPN for the AD password then you might need your Authentication Manager external identity source to map to UPN and not to samAccountName.
    * If RHEL uses the old format of domain\user ID, you could have the Authentication Manager external identity source mapped to samAccountName and the PAM login could be domain\user ID and you could configure RSAOMIT to drop the prepended domain\ string in front of the user ID.

    When PAM logon is domain\user ID, the whole string is sent to AD; that is,
    domain\user ID with the AD password, but the with the RSAOMIT option so it
    that it sends just user ID with the passcode to Authentication Manager. See
    [how to ignore username's NTLM or "down-level logon name" domain name prefix
    sent by a radius client or agent in RSA Authentication Manager
    8.x](    https://community.rsa.com/t5/rsa-securid-access-knowledge/how-to-ignore-
    username-s-ntlm-or-quot-down-level-logon-name-quot/ta-p/2612) for more
    information.
    Expand Post
    Selected as Best

  • EricaChalfin (RSA)

    [@joe-gaechter](https://community.rsa.com/t5/user/viewprofilepage/user-
    id/125201),

    Thank you for your question about the PAM agent. I've moved your post to the
    SecurID community where it will be seen by members of our Support,
    Professional Services and Engineering teams, as well as by other SecurID
    users.

    What you are asking about is module stacking. If the agent is working for your
    local users then we are not responsible for getting stacking to work as we do
    not support the AD portion of your question. PAM and AM are not aware of
    whether or not RHEL is joined to your AD domain, but you can configure things.
    For example,

    * If RHEL needs the UPN for the AD password then you might need your Authentication Manager external identity source to map to UPN and not to samAccountName.
    * If RHEL uses the old format of domain\user ID, you could have the Authentication Manager external identity source mapped to samAccountName and the PAM login could be domain\user ID and you could configure RSAOMIT to drop the prepended domain\ string in front of the user ID.

    When PAM logon is domain\user ID, the whole string is sent to AD; that is,
    domain\user ID with the AD password, but the with the RSAOMIT option so it
    that it sends just user ID with the passcode to Authentication Manager. See
    [how to ignore username's NTLM or "down-level logon name" domain name prefix
    sent by a radius client or agent in RSA Authentication Manager
    8.x](    https://community.rsa.com/t5/rsa-securid-access-knowledge/how-to-ignore-
    username-s-ntlm-or-quot-down-level-logon-name-quot/ta-p/2612) for more
    information.
    Expand Post
    Selected as Best

Don't see what you're looking for?