So i have a 389 server running and a client with sssd installed on Centos 6.5. I create users and run getent passwd (user). It won't find anything unless i enable them as POSIX user (not sure if that's the way it should be). So then, I can run getent passwd and see the user. If i'm logged into root i can su into any 389 user, but if i try to su from a local account to a 389 account it says invalid password.
From Root:
su: pam_unix(su:session): session opened for user test77 by localadmin(uid=0)
From localadmin:
su: pam_unix(su-l:auth): authentication failure; logname=localadmin uid=500 euid=0 tty=pts/2 ruser=localadmin rhost= user=test77
I'm assuming it's something wrong with PAM but everything looks correct My system-auth pam entry looks like this:
auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
[link][2 comments]