I found an answer - on a CACHED web page. The original link says, " This question was removed from Unix & Linux Stack Exchange for reasons of moderation." Here's the cached link: https://webcache.googleusercontent.com/search?q=cache:vlUMKhpD2ooJ:https://unix.stackexchange.com/questions/502805/freeipa-client-on-debian-9-cannot-find-user-error but Murphy only knows how long it will stay available.
Here are the important bits that fixed my problem: /etc/pam.d/common-account account [default=bad success=ok user_unknown=ignore] pam_sss.so forward_pass use_first_pass account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so account requisite pam_deny.so account required pam_permit.so account sufficient pam_localuser.so /etc/pam.d/common-auth auth [success=2 default=ignore] pam_sss.so forward_pass auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass auth requisite pam_deny.so auth required pam_permit.so /etc/pam.d/common-password password [success=2 default=ignore] pam_sss.so forward_pass password [success=1 default=ignore] pam_unix.so obscure sha512 password requisite pam_deny.so password required pam_permit.so /etc/pam.d/common-session session [default=1] pam_permit.so session requisite pam_deny.so session required pam_mkhomedir.so session required pam_permit.so session required pam_unix.so session optional pam_sss.so And some diff's : # diff common-account common-account-bak 1,5d0 < account [default=bad success=ok user_unknown=ignore] pam_sss.so forward_pass use_first_pass < account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so < account requisite pam_deny.so < account required pam_permit.so < account sufficient pam_localuser.so 6a2,4 > account [success=1 new_authtok_reqd=done default=ignore] > pam_unix.so > account requisite pam_deny.so > account required pam_permit.so # diff common-auth common-auth-bak 1,5c1,2 < auth [success=2 default=ignore] pam_sss.so forward_pass < auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass < auth requisite pam_deny.so < auth required pam_permit.so < --- > auth required pam_unix.so nullok_secure > auth required pam_tally.so onerr=fail deny=5 per_user # diff common-password common-password-bak 1,5c1,4 < password [success=2 default=ignore] pam_sss.so forward_pass < password [success=1 default=ignore] pam_unix.so obscure sha512 < password requisite pam_deny.so < password required pam_permit.so < --- > password requisite pam_cracklib.so retry=3 > minlen=8 difok=3 > password [success=1 default=ignore] pam_unix.so obscure use_authtok > try_first_pass sha512 > password requisite pam_deny.so > password required pam_permit.so # diff common-session common-session-bak 1,6d0 < session [default=1] pam_permit.so < session requisite pam_deny.so < session required pam_mkhomedir.so < session required pam_permit.so < session required pam_unix.so < session optional pam_sss.so 7a2,7 > session [default=1] pam_permit.so > session requisite pam_deny.so > session required pam_permit.so > session required pam_unix.so > session optional pam_systemd.so > session optional pam_ck_connector.so nox11 ______________________________________________________________________________________________ Daniel E. White [email protected]<mailto:[email protected]> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290 From: FreeIPA <[email protected]> Reply-To: FreeIPA <[email protected]> Date: Tuesday, March 3, 2020 at 11:37 To: Jochen Kellner <[email protected]>, FreeIPA <[email protected]> Cc: Rob Crittenden <[email protected]>, Daniel White <[email protected]> Subject: [EXTERNAL] [Freeipa-users] Re: A Debian Head-Scratcher grep -rnI pam_sss /var/log /etc/pam.d returns nothing on this Debian system It is all over the CentOS system files. Might this be an issue with the Debian freeipa-client package ? Also, I am able to log in with my IdM credentials, just not as this test-user. ______________________________________________________________________________________________ Daniel E. White [email protected]<mailto:[email protected]> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
