On 05/08/2015 08:14 AM, Ulrich Hiller wrote:
With kind regards, ulrich
Hm. I don't *see* the problem, so let me go about this in the opposite
direction. I added the host controls to one of my systems, and they
appear to work properly.
My configuration files were *mostly* written by "authconfig". It looks
like you've done some manual tweaking with YaST examples. Some of the
PAM stuff looks like it was tacked-on at the end of a sequence without
understanding how PAM flow control works.
(Minor aside: you may have used authconfig --enablemd5, which weakens
security somewhat. I believe the default is equivalent to authconfig
--passalgo=sha256)
Your sssh pam file referenced password-auth (/etc/pam.d/password-auth)
which should be a separate file from system-auth, but should have
identical content.
I recommend starting with a completely clean system, setting up
authentication with authconfig, and then modifying sssd.conf one setting
at a time as you work toward your desired configuration.
/etc/sss/sssd.conf:
------
[domain/default]
autofs_provider = ldap
cache_credentials = True
krb5_realm = PRIVATE.EXAMPLE.NET
ldap_search_base = dc=private,dc=example,dc=net
krb5_server = directory.private.example.net:88
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://directory.private.example.net/
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_store_password_if_offline = True
krb5_kpasswd = directory.private.example.net:749
access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = default
[nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
------
/etc/pam.d/system-auth-ac
------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass
local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha256 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
------
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
