On Mon, Apr 28, 2014 at 09:30:32PM +0200, Lukas Slebodnik wrote:
On (25/04/14 16:39), kevin sullivan wrote:
>I am seeing an issue when I try to change a local user's password when SSSD
>(1.9.2-82.el6) is not running. I have two sets of users: users stored in
>ldap and users stored locally on my RHEL 6.4 machine. When able, I want to
>login as the ldap users and only fallback to the local users when I can't
>contact the ldap server. This is why I have pam configured like this:
>
>password requisite pam_cracklib.so retry=3 minlen=10
>password sufficient pam_sss.so forward_pass use_authtok
>password sufficient pam_unix.so md5 shadow nullok try_first_pass
>use_authtok
>password required pam_deny.so
>
I checked the source code of pam_sss. If I read source code corretly,
you should remove argument use_authtok.
Could you try with next line?
password sufficient pam_sss.so forward_pas
I think it would be best to let the (arguably complex and fragile) PAM
configuration to be autogenerated by a tool that was written specifically
for the purpose, like authconfig :)
btw this is how my password stack on Fedora looks like:
password optional pam_pwquality.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so