hi Lukas

the debugging tips is really helpfule trouble shooting, i got a lot error "pam_sss(sshd:auth): received for user nick: 9 (Authentication service cannot retrieve authentication info)"

it turned out that i used ldap (without SSL) that sssd not support any more for secure reason.
after enable ssl for my openldap server, thinks work now

thanks very much

Thanks & Best Regards!

///
(. .)
--------ooO--(_)--Ooo--------
| Nick Tan |
------------------------------------

On Sat, Jun 28, 2014 at 1:33 AM, Lukas Slebodnik <lslebodn@redhat.com> wrote:

On (28/06/14 00:03), XuQing Tan wrote:
>Hi folks
>
>i setup sssd 1.9.2 on centos 6 x64
>i can get the user info via 'id <user>'
>i can su to that user as root (no password prompt since i'm root)
>
>[root@nick-ldap ~]# su - nick
>-sh-4.1$ exit
>logout
>

root can swith to another user without any prompting password.
(pam_sss was not involved)
It is default behaviour.
I am not pam expert, but it should be caused by next line in /etc/pam.d/su

account sufficient pam_succeed_if.so uid = 0 use_uid quiet

>but i can't su to this user as non-root (with password prompt but get
>incorrect password error)
>[root@nick-ldap ~]# su - demo
>[demo@nick-ldap ~]$ su - nick
>Password:
>su: incorrect password

There are two explanation:
a) you used wrong password.
b) there is some problem with sssd configuration.

In second case, put "debug_level = 7" into pam and domain section in sssd.conf;
restarts sssd; reproduce problem; and try to analyse log files in /var/log/sssd
If you don't find root of problem please send sanitised log fail to the mailing
list.

LS
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users