Hi, yes exactly. It's in password-auth
thanks, a. On Fri, Feb 10, 2012 at 3:10 PM, Stephen Gallagher <[email protected]>wrote: > On Fri, 2012-02-10 at 11:28 +0100, Jakub Hrozek wrote: > > On Fri, Feb 10, 2012 at 11:20:01AM +0200, Aziz Sasmaz wrote: > > > Hi, > > > I resolved cert issue. But there is one more thing I wonder. The > > > configuration I use for system-auth in redhat 5.7 does not work for > > > Centos 6.2 In 6.2 it without pam_sss it works. How does it happen > if > > > there is no sssd pam module in system-auth. I am also sure the > > > authentication is made through sssd > > > For instance i use the below configuration on 5.7; > > > # User changes will be destroyed the next time authconfig is run. > > > auth required pam_env.so > > > auth sufficient pam_unix.so nullok try_first_pass > > > auth requisite pam_succeed_if.so uid >= 500 quiet > > > auth sufficient pam_sss.so use_first_pass > > > auth required pam_deny.so > > > account required pam_unix.so > > > account sufficient pam_succeed_if.so uid < 500 quiet > > > account [default=bad success=ok user_unknown=ignore] pam_sss.so > > > account required pam_permit.so > > > password requisite pam_cracklib.so try_first_pass retry=3 > > > #password required pam_passwdqc.so enforce=users > > > min=disabled,16,12,8,6 > > > password sufficient pam_unix.so md5 shadow nullok > try_first_pass > > > use_authtok > > > password sufficient pam_sss.so use_authtok > > > password required pam_deny.so > > > session optional pam_keyinit.so revoke > > > session required pam_limits.so > > > session optional pam_mkhomedir.so skel=/etc/skel/ > umask=0022 > > > session [success=1 default=ignore] pam_succeed_if.so service in > crond > > > quiet use_uid > > > session required pam_unix.so > > > session sufficient pam_sss.so > > > But in 6.2 below configuration works without pam_sss. there are > only ldap > > > pam modules. But I checked the authentication is made through sssd. > > > auth required pam_env.so > > > auth sufficient pam_fprintd.so > > > auth sufficient pam_unix.so nullok try_first_pass > > > auth requisite pam_succeed_if.so uid >= 500 quiet > > > auth sufficient pam_ldap.so use_first_pass > > > auth required pam_deny.so > > > account required pam_unix.so broken_shadow > > > account sufficient pam_localuser.so > > > account sufficient pam_succeed_if.so uid < 500 quiet > > > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > > > account required pam_permit.so > > > password requisite pam_cracklib.so try_first_pass retry=3 > type= > > > password sufficient pam_unix.so sha512 shadow nullok > try_first_pass > > > use_authtok > > > password sufficient pam_ldap.so use_authtok > > > password required pam_deny.so > > > session optional pam_keyinit.so revoke > > > session required pam_limits.so > > > session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ > > > umask=0022 > > > session [success=1 default=ignore] pam_succeed_if.so service in > crond > > > quiet use_uid > > > session required pam_unix.so > > > session optional pam_ldap.so > > > > > > > I very much doubt it, the pam_sss.so module is the entry point for > > SSSD's pam responder. When logging in, can you check what does > > /var/log/secure say? If the login goes through sssd, you should see > > pam_sss being mentioned, like this: > > > > sshd[16406]: pam_sss(sshd:auth): authentication success; logname= uid=0 > > euid=0 tty=ssh ruser= rhost=localhost.localdomain user=admin > > > > Also can you check that the service you are logging in with uses the PAM > > config file you posted? > > > Aziz, in RHEL 6.2, GDM and SSHD no longer use /etc/pam.d/system-auth for > their PAM stack. Instead, they use /etc/pam.d/password-auth. I'm betting > you have pam_sss.so set up in password-auth. > > _______________________________________________ > sssd-devel mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/sssd-devel > >
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
