-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/28/2011 08:17 AM, Andy Kannberg wrote:
Stephen,
I've tried to rearrange the system-auth. However, when offline, I still
cannot login with KDE.
the system-auth looks like this:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
account sufficient pam_succeed_if.so uid > 500 quiet
This line definitely looks out of place here. This should probably be
"auth" not "account, and it's recommended that it be
"requisite" instead
of "sufficient". Also, you probably want >= 500 rather than > 500
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account sufficient pam_localuser.so
account required pam_unix.so broken_shadow
You probably want to reverse
pam_unix and pam_localuser here
account sufficient pam_succeed_if.so uid > 500 quiet
This is backwards. You want system services (<500) to be sufficient
here, not all users > 500.
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
#account required pam_access.so
accessfile=/etc/security/access.netgroup.conf
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_sss.so use_authtok
password required pam_deny.so
#session required pam_limits.so
session required pam_unix.so
session required pam_keyinit.so revoke
session optional pam_sss.so
Give that a try.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk1Cx/YACgkQeiVVYja6o6OUUwCfbFWBEInxSt/UHQfagKs5Iwyb
wGEAoJ8/txMCI/fBNliHxhgdoJxFp7OD
=2kN+
-----END PGP SIGNATURE-----