And it's done! All I had to do was to fix my common-account to bypass pam_unix if pam_sss was successful. In my case pam_sss was already in there, only further down the stack. Just had to move it up and adapt the return behavior. This is my final common-account:
# moved to here account [success=2 default=ignore] pam_sss.so account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so account requisite pam_deny.so account required pam_permit.so account sufficient pam_localuser.so # was here # account [default=bad success=ok user_unknown=ignore] pam_sss.so I hope this helps someone. But beware: a proper solution like LDAP+Kerberos IS the right way to go. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
