On Tue, Sep 20, 2016 at 02:03:38PM +0000, Larry Rosen wrote:
> Thanks, that explains a lot (I didn't catch the difference in auth services).
> Would this be mitigated by putting sss in front of files in nsswitch.conf)?
> passwd: files sss
> shadow: files sss
> group: files sss
No, NSS is a separate interface. You can experiment with adding
pam_localuser.so before pam_unix, though.
btw this is how recent Fedora releases configure their PAM stack:
auth required pam_env.so
auth sufficient pam_fprintd.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
But watch out, PAM stacks are inherently distro-specific and I don't
remember what exactly you're running.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project