On 05/07/2015 12:07 PM, Ulrich Hiller wrote:
login with the wrong password gives a denied login. login with the correct password always works.
This is my sitution since the begin of my thread.
Got it. I misread part of your last message, and thought that logins were /not/ working when sssd was running.
But instead i get centos: sshd[7929]: pam_unix(sshd:session): session opened for user
<username>
"pam_unix" should be an indication that <username> appears in the local unix password files. Make sure that it doesn't.
What do /etc/pam.d/sshd and /etc/pam.d/system-auth contain, currently?
So, maybe it is a pam problem.
Looks that way to me.
I have installed on centos: fprintd-pam-0.5.0-4.0.el7_0.x86_64 pam-1.1.8-12.el7.x86_64 gnome-keyring-pam-3.8.2-10.el7.x86_64 pam_krb5-2.4.8-4.el7.x86_64
Are you sure i do not need nss-pam-ldapd?
Yes. nss-pam-ldapd does, essentially, the same thing that sssd does. You also don't need pam_krb5. sssd has krb5 modules to support Kerberos login.
Googling around i have read something about a /etc/nslcd.conf which comes with this package. Is that needed?
No. Before sssd, there was nss_ldap. It sometimes caused boot problems by trying to connect to an LDAP server for user data before the network was up.
nss-pam-ldapd was written to address that with a daemon that handled queries, which was started after network init. That mostly solved the problem for LDAP.
sssd does mostly the same thing, but handles LDAP, krb5, as well as extensions for FreeIPA and Active Directory. It can cache credentials for offline use (for laptops). When using sssd, you don't need the older PAM or NSS modules.
On my opensuse i have much more:
I'm not terribly familiar with opensuse's authentication setup. Your log says you're using sss there, so most of those modules are probably installed but unused.