It's not normal to have pam_unix.so twice in each group. That said, I am not used to seeing nullok in these as well. (The environment I work in requires it removed, so that's why it's strange to see.) pam_systemd.so and md5?
I wanted to clean this up a bit, but I am going to stop now, cause I see the reference of Centos 5 based info and CentOS 7 stuff. I will have to see what's changed between the both. Here's what I have thus far. #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 200 quiet_success auth sufficient pam_sss.so use_first_pass auth required pam_deny.so auth optional pam_gnome_keyring.so
account required pam_unix.so broken_shadow try_first_pass account sufficient pam_succeed_if.so uid < 2000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so account sufficient pam_localuser.so account required pam_sss.so use_first_pass account sufficient pam_localuser.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so password requisite pam_cracklib.so password optional pam_gnome_keyring.so use_authtok password required pam_sss.so use_authtok
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so try_first_pass session sufficient pam_sss.so session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jonathan Billings Sent: Saturday, May 09, 2015 4:25 PM To: CentOS mailing list Subject: Re: [CentOS] ldap host attribute is ignored
On May 8, 2015, at 11:14 AM, Ulrich Hiller hiller@mpia-hd.mpg.de wrote:
/etc/pam.d/system-auth:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 200 quiet_success auth sufficient pam_sss.so use_first_pass auth required pam_deny.so auth required pam_env.so auth optional pam_gnome_keyring.so
account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 2000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so account requisite pam_unix.so try_first_pass account sufficient pam_localuser.so account required pam_sss.so use_first_pass account sufficient pam_localuser.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so password requisite pam_cracklib.so password optional pam_gnome_keyring.so use_authtok password sufficient pam_unix.so use_authtok nullok shadow try_first_pass password required pam_sss.so use_authtok
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session sufficient pam_sss.so session required pam_unix.so try_first_pass session optional pam_umask.so session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm
-- Jonathan Billings billings@negate.org
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos