search for: pam_localus

...ount required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 2000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so account requisite pam_unix.so try_first_pass account sufficient pam_localuser.so account required pam_sss.so use_first_pass account sufficient pam_localuser.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password suffi...

...ps in this case. My best theory at the moment, not knowing any of this very well, is that maybe pam_winbind is "cheating" on the PAM api, and somehow adding this secondary group in some init or close function (where it should not be). Any ideas? Mike account [default=2 success=ignore] pam_localuser.so account sufficient pam_unix2.so account requisite pam_deny.so account sufficient pam_krb5.so account requisite pam_deny.so auth required pam_env.so auth [default=2 success=ignore] pam_localuser.so auth sufficient pam_unix2.so auth requisite pam_deny.so auth sufficient pam_krb5.so auth requir...

...ation yes KerberosTicketCleanup yes KerberosGetAFSToken yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes /etc/resolv.conf: search dsdev.local ourdomain nameserver y.y.y.y. nameserver x.x.x.x /etc/pam.d/password-auth-ac: auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth sufficient pam_winbind.so cached_login use_first_pass auth req...

...m_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 2000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > account requisite pam_unix.so try_first_pass > account sufficient pam_localuser.so > account required pam_sss.so use_first_pass > account sufficient pam_localuser.so > > password requisite pam_pwquality.so try_first_pass > local_users_only retry=3 authtok_type= > password sufficient pam_unix.so md5 shadow nullok try_first_pass...

...unlock_time=1800 auth required pam_env.so auth sufficient pam_unix.so auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account required pam_tally2.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok use_authtok password required pam_deny.so session...

...erently from CentOS5. Under CentOS5, I used this configuration to restrict access to root only: # cat /etc/security/access.conf + : root : ALL - : ALL : ALL # cat /etc/pam.d/system-auth-ac ... account required pam_access.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so ... # Under CentOS6, this has no effect and I can still login as non-root user. What am I missing?

...red pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shado...

...nt.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow null...

...yes > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > > /etc/resolv.conf: > search dsdev.local ourdomain > nameserver y.y.y.y. > nameserver x.x.x.x > > /etc/pam.d/password-auth-ac: > auth required pam_env.so > auth [default=1 success=ok] pam_localuser.so > auth [success=done ignore=ignore default=die] pam_unix.so > nullok try_first_pass auth requisite pam_succeed_if.so uid > >= 1000 quiet_success auth sufficient pam_sss.so > >forward_pass > auth sufficient pam_winbind.so cached_login u...

...sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_pwquality.so pam_cracklib.so try_first_pass local_users_only retry=3 authtok_type= pass...

....so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so type= retry=3 difok=3 minlen=8 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=0 passw...

...ent /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_localuser.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so ret...

...x.so nullok try_first_pass >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth sufficient pam_ldap.so use_first_pass >> auth required pam_deny.so >> >> account required pam_unix.so >> account sufficient pam_localuser.so >> account sufficient pam_succeed_if.so uid < 500 quiet >> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >> account required pam_permit.so >> >> password requisite pam_cracklib.so try_first_pass retry=3 type= >&g...

maybe it'll work when f27 comes out in a few days I'll wait for it. On Mon, Oct 30, 2017 at 3:05 PM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote: > for this machine it was unimportant. I will just use local accounts to > login it is only one user > I did remove sssd and went back to my original smb.conf but it still shows > > [root at squints ~]# getent passwd

...password-auth account include password-auth session include password-auth /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account...

...password-auth account include password-auth session include password-auth /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account...

...d pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account sufficient pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok...

...gt; GSSAPICleanupCredentials yes >> >> /etc/resolv.conf: >> search dsdev.local ourdomain >> nameserver y.y.y.y. >> nameserver x.x.x.x >> >> /etc/pam.d/password-auth-ac: >> auth required pam_env.so >> auth [default=1 success=ok] pam_localuser.so >> auth [success=done ignore=ignore default=die] pam_unix.so >> nullok try_first_pass auth requisite pam_succeed_if.so uid >>> = 1000 quiet_success auth sufficient pam_sss.so >>> forward_pass >> auth sufficient pam_winbi...

...h sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient p...

...h requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_winbind.so cached_login use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login account required pam_permit.so password requisite pam_crackl...