On Tue, Sep 20, 2016 at 02:03:38PM +0000, Larry Rosen wrote:
> Thanks, that explains a lot (I didn't catch the difference in auth services).
> Would this be mitigated by putting sss in front of files in nsswitch.conf)?
> 
> /etc/nsswitchconf:
> passwd:     files sss
> shadow:     files sss
> group:      files sss

No, NSS is a separate interface. You can experiment with adding
pam_localuser.so before pam_unix, though.

btw this is how recent Fedora releases configure their PAM stack:
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok 
try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

But watch out, PAM stacks are inherently distro-specific and I don't
remember what exactly you're running.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to