[CentOS] ldap host attribute is ignored

Fri May 8 15:14:37 UTC 2015
Ulrich Hiller <hiller at mpia-hd.mpg.de>

>> But instead i get
>> centos: sshd[7929]: pam_unix(sshd:session): session opened for user
>> <username>
> 
> "pam_unix" should be an indication that <username> appears in the local
> unix password files.  Make sure that it doesn't.

Nope. None of the usernames i tried is in /etc/passwd or /etc/shadow


> 
> What do /etc/pam.d/sshd and /etc/pam.d/system-auth contain, currently?


/etc/pam.d/sshd:
----------------
#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed
in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
session  required       pam_mkhomedir.so skel=/etc/skel/ umask=0077




/etc/pam.d/system-auth:
-----------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 200 quiet_success
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so
auth    required        pam_env.so
auth    optional        pam_gnome_keyring.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 2000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so
account requisite       pam_unix.so     try_first_pass
account sufficient      pam_localuser.so
account required        pam_sss.so      use_first_pass
account sufficient      pam_localuser.so

password    requisite     pam_pwquality.so try_first_pass
local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so
password        requisite       pam_cracklib.so
password        optional        pam_gnome_keyring.so    use_authtok
password        sufficient      pam_unix.so     use_authtok nullok
shadow try_first_pass
password        required        pam_sss.so      use_authtok

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     sufficient      pam_sss.so
session required        pam_unix.so     try_first_pass
session optional        pam_umask.so
session optional        pam_gnome_keyring.so    auto_start
only_if=gdm,gdm-password,lxdm,lightdm


With kind regards, ulrich