On 05/08/2015 08:14 AM, Ulrich Hiller wrote: > With kind regards, ulrich Hm. I don't *see* the problem, so let me go about this in the opposite direction. I added the host controls to one of my systems, and they appear to work properly. My configuration files were *mostly* written by "authconfig". It looks like you've done some manual tweaking with YaST examples. Some of the PAM stuff looks like it was tacked-on at the end of a sequence without understanding how PAM flow control works. (Minor aside: you may have used authconfig --enablemd5, which weakens security somewhat. I believe the default is equivalent to authconfig --passalgo=sha256) Your sssh pam file referenced password-auth (/etc/pam.d/password-auth) which should be a separate file from system-auth, but should have identical content. I recommend starting with a completely clean system, setting up authentication with authconfig, and then modifying sssd.conf one setting at a time as you work toward your desired configuration. /etc/sss/sssd.conf: ------ [domain/default] autofs_provider = ldap cache_credentials = True krb5_realm = PRIVATE.EXAMPLE.NET ldap_search_base = dc=private,dc=example,dc=net krb5_server = directory.private.example.net:88 id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://directory.private.example.net/ ldap_tls_cacertdir = /etc/openldap/cacerts krb5_store_password_if_offline = True krb5_kpasswd = directory.private.example.net:749 access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host [sssd] services = nss, pam, autofs config_file_version = 2 domains = default [nss] [pam] [sudo] [autofs] [ssh] [pac] ------ /etc/pam.d/system-auth-ac ------ #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha256 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so ------