On Fri, Feb 10, 2012 at 11:20:01AM +0200, Aziz Sasmaz wrote: > Hi, > I resolved cert issue. But there is one more thing I wonder. The > configuration I use for system-auth in redhat 5.7 does not work for > Centos 6.2 In 6.2 it without pam_sss it works. How does it happen if > there is no sssd pam module in system-auth. I am also sure the > authentication is made through sssd > For instance i use the below configuration on 5.7; > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > account required pam_unix.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > password requisite pam_cracklib.so try_first_pass retry=3 > #password required pam_passwdqc.so enforce=users > min=disabled,16,12,8,6 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session sufficient pam_sss.so > But in 6.2 below configuration works without pam_sss. there are only ldap > pam modules. But I checked the authentication is made through sssd. > auth required pam_env.so > auth sufficient pam_fprintd.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > password requisite pam_cracklib.so try_first_pass retry=3 type= > password sufficient pam_unix.so sha512 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ > umask=0022 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_ldap.so >
I very much doubt it, the pam_sss.so module is the entry point for SSSD's pam responder. When logging in, can you check what does /var/log/secure say? If the login goes through sssd, you should see pam_sss being mentioned, like this: sshd[16406]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain user=admin Also can you check that the service you are logging in with uses the PAM config file you posted? _______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
