I found an answer - on a CACHED web page. The original link says, " This question was removed from Unix & Linux Stack Exchange for reasons of moderation." Here's the cached link: https://webcache.googleusercontent.com/search?q=cache:vlUMKhpD2ooJ:https://u... but Murphy only knows how long it will stay available.
Here are the important bits that fixed my problem:
/etc/pam.d/common-account account [default=bad success=ok user_unknown=ignore] pam_sss.so forward_pass use_first_pass account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so account requisite pam_deny.so account required pam_permit.so account sufficient pam_localuser.so
/etc/pam.d/common-auth auth [success=2 default=ignore] pam_sss.so forward_pass auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass auth requisite pam_deny.so auth required pam_permit.so
/etc/pam.d/common-password password [success=2 default=ignore] pam_sss.so forward_pass password [success=1 default=ignore] pam_unix.so obscure sha512 password requisite pam_deny.so password required pam_permit.so
/etc/pam.d/common-session session [default=1] pam_permit.so session requisite pam_deny.so session required pam_mkhomedir.so session required pam_permit.so session required pam_unix.so session optional pam_sss.so
And some diff's :
# diff common-account common-account-bak 1,5d0 < account [default=bad success=ok user_unknown=ignore] pam_sss.so forward_pass use_first_pass < account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so < account requisite pam_deny.so < account required pam_permit.so < account sufficient pam_localuser.so 6a2,4
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so account requisite pam_deny.so account required pam_permit.so
# diff common-auth common-auth-bak 1,5c1,2 < auth [success=2 default=ignore] pam_sss.so forward_pass < auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass < auth requisite pam_deny.so < auth required pam_permit.so < ---
auth required pam_unix.so nullok_secure auth required pam_tally.so onerr=fail deny=5 per_user
# diff common-password common-password-bak 1,5c1,4 < password [success=2 default=ignore] pam_sss.so forward_pass < password [success=1 default=ignore] pam_unix.so obscure sha512 < password requisite pam_deny.so < password required pam_permit.so < ---
password requisite pam_cracklib.so retry=3 minlen=8 difok=3 password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password requisite pam_deny.so password required pam_permit.so
# diff common-session common-session-bak 1,6d0 < session [default=1] pam_permit.so < session requisite pam_deny.so < session required pam_mkhomedir.so < session required pam_permit.so < session required pam_unix.so < session optional pam_sss.so 7a2,7
session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so session optional pam_systemd.so session optional pam_ck_connector.so nox11
______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
From: FreeIPA freeipa-users@lists.fedorahosted.org Reply-To: FreeIPA freeipa-users@lists.fedorahosted.org Date: Tuesday, March 3, 2020 at 11:37 To: Jochen Kellner jochen@jochen.org, FreeIPA freeipa-users@lists.fedorahosted.org Cc: Rob Crittenden rcritten@redhat.com, Daniel White daniel.e.white@nasa.gov Subject: [EXTERNAL] [Freeipa-users] Re: A Debian Head-Scratcher
grep -rnI pam_sss /var/log /etc/pam.d returns nothing on this Debian system
It is all over the CentOS system files. Might this be an issue with the Debian freeipa-client package ?
Also, I am able to log in with my IdM credentials, just not as this test-user. ______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
freeipa-users@lists.fedorahosted.org