On May 8, 2015, at 11:14 AM, Ulrich Hiller <hiller at mpia-hd.mpg.de> wrote: > > /etc/pam.d/system-auth: > ----------------------- > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 200 quiet_success > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > auth required pam_env.so > auth optional pam_gnome_keyring.so > > account required pam_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 2000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > account requisite pam_unix.so try_first_pass > account sufficient pam_localuser.so > account required pam_sss.so use_first_pass > account sufficient pam_localuser.so > > password requisite pam_pwquality.so try_first_pass > local_users_only retry=3 authtok_type= > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > password requisite pam_cracklib.so > password optional pam_gnome_keyring.so use_authtok > password sufficient pam_unix.so use_authtok nullok > shadow try_first_pass > password required pam_sss.so use_authtok > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session sufficient pam_sss.so > session required pam_unix.so try_first_pass > session optional pam_umask.so > session optional pam_gnome_keyring.so auto_start > only_if=gdm,gdm-password,lxdm,lightdm Is it normal to have pam_unix and pam_sss twice for each each section? -- Jonathan Billings <billings at negate.org>