[CentOS] ldap host attribute is ignored
Ulrich Hiller
hiller at mpia-hd.mpg.de
Fri May 8 15:14:37 UTC 2015
>> But instead i get
>> centos: sshd[7929]: pam_unix(sshd:session): session opened for user
>> <username>
>
> "pam_unix" should be an indication that <username> appears in the local
> unix password files. Make sure that it doesn't.
Nope. None of the usernames i tried is in /etc/passwd or /etc/shadow
>
> What do /etc/pam.d/sshd and /etc/pam.d/system-auth contain, currently?
/etc/pam.d/sshd:
----------------
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed
in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
/etc/pam.d/system-auth:
-----------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 200 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
auth required pam_env.so
auth optional pam_gnome_keyring.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 2000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
account requisite pam_unix.so try_first_pass
account sufficient pam_localuser.so
account required pam_sss.so use_first_pass
account sufficient pam_localuser.so
password requisite pam_pwquality.so try_first_pass
local_users_only retry=3 authtok_type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
password requisite pam_cracklib.so
password optional pam_gnome_keyring.so use_authtok
password sufficient pam_unix.so use_authtok nullok
shadow try_first_pass
password required pam_sss.so use_authtok
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session sufficient pam_sss.so
session required pam_unix.so try_first_pass
session optional pam_umask.so
session optional pam_gnome_keyring.so auto_start
only_if=gdm,gdm-password,lxdm,lightdm
With kind regards, ulrich
More information about the CentOS
mailing list