On Tue, Sep 20, 2016 at 02:03:38PM +0000, Larry Rosen wrote: > Thanks, that explains a lot (I didn't catch the difference in auth services). > Would this be mitigated by putting sss in front of files in nsswitch.conf)? > > /etc/nsswitchconf: > passwd: files sss > shadow: files sss > group: files sss
No, NSS is a separate interface. You can experiment with adding pam_localuser.so before pam_unix, though. btw this is how recent Fedora releases configure their PAM stack: auth required pam_env.so auth sufficient pam_fprintd.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so But watch out, PAM stacks are inherently distro-specific and I don't remember what exactly you're running. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
