It's not normal to have pam_unix.so twice in each group. That said, I am not used to seeing nullok in these as well. (The environment I work in requires it removed, so that's why it's strange to see.) pam_systemd.so and md5? I wanted to clean this up a bit, but I am going to stop now, cause I see the reference of Centos 5 based info and CentOS 7 stuff. I will have to see what's changed between the both. Here's what I have thus far. #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 200 quiet_success auth sufficient pam_sss.so use_first_pass auth required pam_deny.so auth optional pam_gnome_keyring.so account required pam_unix.so broken_shadow try_first_pass account sufficient pam_succeed_if.so uid < 2000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so account sufficient pam_localuser.so account required pam_sss.so use_first_pass account sufficient pam_localuser.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so password requisite pam_cracklib.so password optional pam_gnome_keyring.so use_authtok password required pam_sss.so use_authtok session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so try_first_pass session sufficient pam_sss.so session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Jonathan Billings Sent: Saturday, May 09, 2015 4:25 PM To: CentOS mailing list Subject: Re: [CentOS] ldap host attribute is ignored On May 8, 2015, at 11:14 AM, Ulrich Hiller <hiller at mpia-hd.mpg.de> wrote: > > /etc/pam.d/system-auth: > ----------------------- > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 200 quiet_success > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > auth required pam_env.so > auth optional pam_gnome_keyring.so > > account required pam_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 2000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > account requisite pam_unix.so try_first_pass > account sufficient pam_localuser.so > account required pam_sss.so use_first_pass > account sufficient pam_localuser.so > > password requisite pam_pwquality.so try_first_pass > local_users_only retry=3 authtok_type= > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > password requisite pam_cracklib.so > password optional pam_gnome_keyring.so use_authtok > password sufficient pam_unix.so use_authtok nullok > shadow try_first_pass > password required pam_sss.so use_authtok > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session sufficient pam_sss.so > session required pam_unix.so try_first_pass > session optional pam_umask.so > session optional pam_gnome_keyring.so auto_start > only_if=gdm,gdm-password,lxdm,lightdm -- Jonathan Billings <billings at negate.org> _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos