On 05/07/2015 12:07 PM, Ulrich Hiller wrote:
login with the wrong password gives a denied login.
login with the correct password always works.
This is my sitution since the begin of my thread.
Got it. I misread part of your last message, and thought that logins
were /not/ working when sssd was running.
But instead i get
centos: sshd[7929]: pam_unix(sshd:session): session opened for user
<username>
"pam_unix" should be an indication that <username> appears in the local
unix password files. Make sure that it doesn't.
What do /etc/pam.d/sshd and /etc/pam.d/system-auth contain, currently?
So, maybe it is a pam problem.
Looks that way to me.
I have installed on centos:
fprintd-pam-0.5.0-4.0.el7_0.x86_64
pam-1.1.8-12.el7.x86_64
gnome-keyring-pam-3.8.2-10.el7.x86_64
pam_krb5-2.4.8-4.el7.x86_64
Are you sure i do not need nss-pam-ldapd?
Yes. nss-pam-ldapd does, essentially, the same thing that sssd does.
You also don't need pam_krb5. sssd has krb5 modules to support Kerberos
login.
Googling around i have read
something about a /etc/nslcd.conf which comes with this package. Is that
needed?
No. Before sssd, there was nss_ldap. It sometimes caused boot problems
by trying to connect to an LDAP server for user data before the network
was up.
nss-pam-ldapd was written to address that with a daemon that handled
queries, which was started after network init. That mostly solved the
problem for LDAP.
sssd does mostly the same thing, but handles LDAP, krb5, as well as
extensions for FreeIPA and Active Directory. It can cache credentials
for offline use (for laptops). When using sssd, you don't need the
older PAM or NSS modules.
On my opensuse i have much more:
I'm not terribly familiar with opensuse's authentication setup. Your
log says you're using sss there, so most of those modules are probably
installed but unused.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
