[Freeipa-users] login auth fails then success
Jakub Hrozek
jhrozek at redhat.com
Tue Sep 20 14:41:20 UTC 2016
On Tue, Sep 20, 2016 at 02:03:38PM +0000, Larry Rosen wrote:
> Thanks, that explains a lot (I didn't catch the difference in auth services).
> Would this be mitigated by putting sss in front of files in nsswitch.conf)?
>
> /etc/nsswitchconf:
> passwd: files sss
> shadow: files sss
> group: files sss
No, NSS is a separate interface. You can experiment with adding
pam_localuser.so before pam_unix, though.
btw this is how recent Fedora releases configure their PAM stack:
auth required pam_env.so
auth sufficient pam_fprintd.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
But watch out, PAM stacks are inherently distro-specific and I don't
remember what exactly you're running.
More information about the Freeipa-users
mailing list