On 05/05/2015 11:14 AM, Ulrich Hiller wrote: > On 05/05/2015 06:47 PM, Gordon Messmer wrote: >> This is wrong. Don't use sss and ldap together. It's redundant. At >> best it will cause performance problems. >> >> Get rid of the ldap module and see if the system starts working >> correctly with just sssd. It's possible that right now sssd is >> correctly filtering users, but the PADL ldap module is providing them. > > This was a good hint (i should have got the idea myself). > Now i set > passwd: files ldap > shadow: files ldap > group: files ldap That's exactly the opposite of what I suggested. Your system is now using the deprecated PADL ldap module for name service instead of sssd. You should probably remove nscd and nss-pam-ldapd from your system entirely. They're deprecated, and they're going to waste your time. > and got "pam_unix(sshd:auth): check pass; user unknown" That seems consistent with having "ldap" in nsswitch.conf and no /etc/ldap.conf. Don't use "ldap". Use "sss". > So, does it mean only the NSS is providing the ldap user information, > and sssd cannot read the pam information? So pam is not set up correctly? That's a confusing question, so let me explain the stack a little. At one end you have your applications. Everything that needs to resolve user names, groups, hosts, services, etc is here. For example, "ls". "ls" reads directories and stats files, those files have numeric user and group IDs, which need to be resolved to names. In the middle you have glibc and its "nss" API. "nss" provides a single interface to applications for resolving names and numbers for the types defined in nsswitch.conf. At the other end of the stack you have nss modules. These include the "unix" module which reads files in /etc, the deprecated LDAP module from PADL, and the sss module that's part of sssd. (sssd extends the stack a little bit. it provides one interface to nss, and has its own modules to resolve names through LDAP and other directories) PAM is completely separate from all of that. PAM provides authentication services. It's a completely different interface from resolving names and numbers. So, right now it sounds like you have the system configured to read information from the "ldap" module, but that module needs /etc/ldap.conf. You should be using the "sss" module in nsswitch.conf instead. > I am confused about what to do now. > Do i have to configure anything else in /etc/pam.d apart from system-auth? You probably shouldn't ever touch the files in /etc/pam.d.