On 05/07/2015 12:07 PM, Ulrich Hiller wrote: > login with the wrong password gives a denied login. > login with the correct password always works. > > This is my sitution since the begin of my thread. Got it. I misread part of your last message, and thought that logins were /not/ working when sssd was running. > But instead i get > centos: sshd[7929]: pam_unix(sshd:session): session opened for user > <username> "pam_unix" should be an indication that <username> appears in the local unix password files. Make sure that it doesn't. What do /etc/pam.d/sshd and /etc/pam.d/system-auth contain, currently? > So, maybe it is a pam problem. Looks that way to me. > I have installed on centos: > fprintd-pam-0.5.0-4.0.el7_0.x86_64 > pam-1.1.8-12.el7.x86_64 > gnome-keyring-pam-3.8.2-10.el7.x86_64 > pam_krb5-2.4.8-4.el7.x86_64 > > Are you sure i do not need nss-pam-ldapd? Yes. nss-pam-ldapd does, essentially, the same thing that sssd does. You also don't need pam_krb5. sssd has krb5 modules to support Kerberos login. > Googling around i have read > something about a /etc/nslcd.conf which comes with this package. Is that > needed? No. Before sssd, there was nss_ldap. It sometimes caused boot problems by trying to connect to an LDAP server for user data before the network was up. nss-pam-ldapd was written to address that with a daemon that handled queries, which was started after network init. That mostly solved the problem for LDAP. sssd does mostly the same thing, but handles LDAP, krb5, as well as extensions for FreeIPA and Active Directory. It can cache credentials for offline use (for laptops). When using sssd, you don't need the older PAM or NSS modules. > On my opensuse i have much more: I'm not terribly familiar with opensuse's authentication setup. Your log says you're using sss there, so most of those modules are probably installed but unused.