Hello,
I have setup Horizon View with 2 Desktop Pools, one is a Centos7 pool and the other one an Ubuntu 18.04 pool.
I already made a script that at the startup of the machines it joins every machine to the domain and enables sssd for authentication with the AD domain. It works smoothly on both distros.
SSO was not working on CentOS7 from the beginning.
On the other hand, on Ubuntu 18.04 it was working, but after an apt update and an apt upgrade SSO got broken.
I can find on viewagent-debug.log entries like
"Start session for user: mattia.parise, have SSO cred: false"
"[SessionHandler] SSO is disabled by broker"
what could be the cause?
Any best practice to make SSO work Windows-like?
Documentation lacks about the normal SSO and quotes everytime the TrueSSO feature, which I'm not interested in at the moment.
Many thanks
Best regards
Mattia Parise
Have you seen this in the release notes?
Single Sign On (SSO) does not work well on a RHEL/CentOS 7.2 desktop when you add a domain using System Security Services Daemon (SSSD).
Workaround: After you add a domain using SSSD, modify the /etc/pam.d/password-auth file using the information in the VMware Knowledge Base article 2150330 SSO configuration changes required when using SSSD to join AD on RHEL/CentOS 7.2 Desktops.
Hello, thanks for the answer! I did not find that but I will give a check, thank you very much, I must have missed that!
Regards
Mattia
Hello,
I would like to focus on CentOS at the moment...
in my CentOS 7 version these lines were already set.
There were, by the way, other lines : this is the content of the file
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
And it's not working.
Any suggestions?
Thanks
This line:
auth sufficient pam_sss.so forward_pass
Should be this line:
auth sufficient pam_sss.so use_first_pass