Many thanks, Sam.

That was exactly the problem. Now that I knew what to look for, I found it in the ipa-client-install output. It says "Local modifications to /etc/pam.d/common-*, not updating. Run pam-auth-update --force to override."

______________________________________________________________________________________________

Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290

From: FreeIPA freeipa-users@lists.fedorahosted.org Reply-To: FreeIPA freeipa-users@lists.fedorahosted.org Date: Wednesday, March 4, 2020 at 18:20 To: FreeIPA freeipa-users@lists.fedorahosted.org Cc: Sam Morris sam@robots.org.uk Subject: [EXTERNAL] [Freeipa-users] Re: So, I think I found a bug - Debian 10 ipa-client-install does not configure /etc/pam.d files properly (if at all)

See /var/lib/dpkg/info/libpam-sss.postinst; when the libpam-sss package is installed, "pam-auth-update" is run, which normally updates the various /etc/pam.d/common-* files based on the contents of /usr/share/pam-configs.

If your PAM config files got screwed up for whatever reason, you should be able to run "pam-auth-update" to fix things. If it detects that any of the common-* files were modified outside of its control, it should print a warning advising you to re-run it with --force to blow those changes away and get things working again.