I found an answer - on a CACHED web page.

The original link says, " This question was removed from Unix & Linux Stack Exchange for reasons of moderation."

Here's the cached link: https://webcache.googleusercontent.com/search?q=cache:vlUMKhpD2ooJ:https://unix.stackexchange.com/questions/502805/freeipa-client-on-debian-9-cannot-find-user-error

but Murphy only knows how long it will stay available.

 

Here are the important bits that fixed my problem:

 

/etc/pam.d/common-account

account     [default=bad success=ok user_unknown=ignore]      pam_sss.so forward_pass use_first_pass

account     [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so

account     requisite                                         pam_deny.so

account     required                                          pam_permit.so

account     sufficient                                        pam_localuser.so

 

/etc/pam.d/common-auth

auth        [success=2 default=ignore]  pam_sss.so forward_pass

auth        [success=1 default=ignore]  pam_unix.so nullok_secure try_first_pass

auth        requisite                   pam_deny.so

auth        required                    pam_permit.so

 

/etc/pam.d/common-password

password    [success=2 default=ignore]  pam_sss.so forward_pass

password    [success=1 default=ignore]  pam_unix.so obscure sha512

password    requisite                   pam_deny.so

password    required                    pam_permit.so

 

/etc/pam.d/common-session

session     [default=1]     pam_permit.so

session     requisite       pam_deny.so

session     required        pam_mkhomedir.so

session     required        pam_permit.so

session     required        pam_unix.so

session     optional        pam_sss.so

 

And some diff's :

 

# diff common-account common-account-bak

1,5d0

< account [default=bad success=ok user_unknown=ignore]      pam_sss.so forward_pass use_first_pass

< account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so

< account requisite                                         pam_deny.so

< account required                                          pam_permit.so

< account sufficient                                        pam_localuser.so

6a2,4

> account       [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 

> account       requisite                       pam_deny.so

> account       required                        pam_permit.so

 

# diff common-auth common-auth-bak

1,5c1,2

< auth    [success=2 default=ignore]  pam_sss.so forward_pass

< auth    [success=1 default=ignore]  pam_unix.so nullok_secure try_first_pass

< auth    requisite                   pam_deny.so

< auth    required                    pam_permit.so

<

---

> auth  required        pam_unix.so nullok_secure 

> auth  required        pam_tally.so onerr=fail deny=5 per_user

 

# diff common-password common-password-bak

1,5c1,4

< password    [success=2 default=ignore]  pam_sss.so forward_pass

< password    [success=1 default=ignore]  pam_unix.so obscure sha512

< password    requisite                   pam_deny.so

< password    required                    pam_permit.so

<

---

> password      requisite                       pam_cracklib.so retry=3 minlen=8 difok=3

> password      [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512

> password      requisite                       pam_deny.so

> password      required                        pam_permit.so

 

# diff common-session common-session-bak

1,6d0

< session     [default=1]         pam_permit.so

< session     requisite           pam_deny.so

< session     required            pam_mkhomedir.so

< session     required            pam_permit.so

< session     required            pam_unix.so

< session     optional            pam_sss.so

7a2,7

> session       [default=1]                     pam_permit.so

> session       requisite                       pam_deny.so

> session       required                        pam_permit.so

> session       required        pam_unix.so 

> session       optional        pam_systemd.so

> session       optional                        pam_ck_connector.so nox11

 

 

______________________________________________________________________________________________

 

Daniel E. White
daniel.e.white@nasa.gov

NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771

Office: (301) 286-6919

Mobile: (240) 513-5290

 

From: FreeIPA <freeipa-users@lists.fedorahosted.org>
Reply-To: FreeIPA <freeipa-users@lists.fedorahosted.org>
Date: Tuesday, March 3, 2020 at 11:37
To: Jochen Kellner <jochen@jochen.org>, FreeIPA <freeipa-users@lists.fedorahosted.org>
Cc: Rob Crittenden <rcritten@redhat.com>, Daniel White <daniel.e.white@nasa.gov>
Subject: [EXTERNAL] [Freeipa-users] Re: A Debian Head-Scratcher

 

grep -rnI pam_sss /var/log /etc/pam.d

returns nothing on this Debian system

 

It is all over the CentOS system files.

Might this be an issue with the Debian freeipa-client package ?

 

Also, I am able to log in with my IdM credentials, just not as this test-user.

______________________________________________________________________________________________

 

Daniel E. White
daniel.e.white@nasa.gov

NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771

Office: (301) 286-6919

Mobile: (240) 513-5290