On Fri, 2012-02-10 at 11:28 +0100, Jakub Hrozek wrote: > On Fri, Feb 10, 2012 at 11:20:01AM +0200, Aziz Sasmaz wrote: > > Hi, > > I resolved cert issue. But there is one more thing I wonder. The > > configuration I use for system-auth in redhat 5.7 does not work for > > Centos 6.2 In 6.2 it without pam_sss it works. How does it happen if > > there is no sssd pam module in system-auth. I am also sure the > > authentication is made through sssd > > For instance i use the below configuration on 5.7; > > # User changes will be destroyed the next time authconfig is run. > > auth required pam_env.so > > auth sufficient pam_unix.so nullok try_first_pass > > auth requisite pam_succeed_if.so uid >= 500 quiet > > auth sufficient pam_sss.so use_first_pass > > auth required pam_deny.so > > account required pam_unix.so > > account sufficient pam_succeed_if.so uid < 500 quiet > > account [default=bad success=ok user_unknown=ignore] pam_sss.so > > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > > #password required pam_passwdqc.so enforce=users > > min=disabled,16,12,8,6 > > password sufficient pam_unix.so md5 shadow nullok try_first_pass > > use_authtok > > password sufficient pam_sss.so use_authtok > > password required pam_deny.so > > session optional pam_keyinit.so revoke > > session required pam_limits.so > > session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 > > session [success=1 default=ignore] pam_succeed_if.so service in crond > > quiet use_uid > > session required pam_unix.so > > session sufficient pam_sss.so > > But in 6.2 below configuration works without pam_sss. there are only > > ldap > > pam modules. But I checked the authentication is made through sssd. > > auth required pam_env.so > > auth sufficient pam_fprintd.so > > auth sufficient pam_unix.so nullok try_first_pass > > auth requisite pam_succeed_if.so uid >= 500 quiet > > auth sufficient pam_ldap.so use_first_pass > > auth required pam_deny.so > > account required pam_unix.so broken_shadow > > account sufficient pam_localuser.so > > account sufficient pam_succeed_if.so uid < 500 quiet > > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 type= > > password sufficient pam_unix.so sha512 shadow nullok try_first_pass > > use_authtok > > password sufficient pam_ldap.so use_authtok > > password required pam_deny.so > > session optional pam_keyinit.so revoke > > session required pam_limits.so > > session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ > > umask=0022 > > session [success=1 default=ignore] pam_succeed_if.so service in crond > > quiet use_uid > > session required pam_unix.so > > session optional pam_ldap.so > > > > I very much doubt it, the pam_sss.so module is the entry point for > SSSD's pam responder. When logging in, can you check what does > /var/log/secure say? If the login goes through sssd, you should see > pam_sss being mentioned, like this: > > sshd[16406]: pam_sss(sshd:auth): authentication success; logname= uid=0 > euid=0 tty=ssh ruser= rhost=localhost.localdomain user=admin > > Also can you check that the service you are logging in with uses the PAM > config file you posted?
Aziz, in RHEL 6.2, GDM and SSHD no longer use /etc/pam.d/system-auth for their PAM stack. Instead, they use /etc/pam.d/password-auth. I'm betting you have pam_sss.so set up in password-auth.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
