[CentOS] ldap host attribute is ignored

Mon May 11 13:56:23 UTC 2015
Conley, Matthew M CTR GXM <matthew.m.conley1.ctr at navy.mil>

It's not normal to have pam_unix.so twice in each group. That said, I am not used to seeing nullok in these as well. (The environment I work in requires it removed, so that's why it's strange to see.)
pam_systemd.so and md5? 

I wanted to clean this up a bit, but I am going to stop now, cause I see the reference of Centos 5 based info and CentOS 7 stuff. I will have to see what's changed between the both. Here's what I have thus far.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so  try_first_pass
auth        requisite     pam_succeed_if.so uid >= 200 quiet_success
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so
auth        optional      pam_gnome_keyring.so

account     required      pam_unix.so broken_shadow try_first_pass
account     sufficient    pam_succeed_if.so uid < 2000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so
account     sufficient    pam_localuser.so
account     required      pam_sss.so   use_first_pass
account     sufficient    pam_localuser.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow  try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so
password    requisite     pam_cracklib.so
password    optional      pam_gnome_keyring.so    use_authtok
password    required      pam_sss.so      use_authtok

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional     pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so  try_first_pass
session     sufficient    pam_sss.so
session     optional          pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm


-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Jonathan Billings
Sent: Saturday, May 09, 2015 4:25 PM
To: CentOS mailing list
Subject: Re: [CentOS] ldap host attribute is ignored

On May 8, 2015, at 11:14 AM, Ulrich Hiller <hiller at mpia-hd.mpg.de> wrote:
> 
> /etc/pam.d/system-auth:
> -----------------------
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 200 quiet_success
> auth        sufficient    pam_sss.so use_first_pass
> auth        required      pam_deny.so
> auth    required        pam_env.so
> auth    optional        pam_gnome_keyring.so
> 
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_succeed_if.so uid < 2000 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     required      pam_permit.so
> account requisite       pam_unix.so     try_first_pass
> account sufficient      pam_localuser.so
> account required        pam_sss.so      use_first_pass
> account sufficient      pam_localuser.so
> 
> password    requisite     pam_pwquality.so try_first_pass
> local_users_only retry=3 authtok_type=
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_sss.so use_authtok
> password    required      pam_deny.so
> password        requisite       pam_cracklib.so
> password        optional        pam_gnome_keyring.so    use_authtok
> password        sufficient      pam_unix.so     use_authtok nullok
> shadow try_first_pass
> password        required        pam_sss.so      use_authtok
> 
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     sufficient      pam_sss.so
> session required        pam_unix.so     try_first_pass
> session optional        pam_umask.so
> session optional        pam_gnome_keyring.so    auto_start
> only_if=gdm,gdm-password,lxdm,lightdm


--
Jonathan Billings <billings at negate.org>


_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos