I found an answer - on a CACHED web page.
The original link says, " This question was removed from Unix & Linux Stack Exchange for reasons of moderation."
Here's the cached link: https://webcache.googleusercontent.com/search?q=cache:vlUMKhpD2ooJ:https://unix.stackexchange.com/questions/502805/freeipa-client-on-debian-9-cannot-find-user-error
but Murphy only knows how long it will stay available.
Here are the important bits that fixed my problem:
/etc/pam.d/common-account
account [default=bad success=ok user_unknown=ignore] pam_sss.so forward_pass use_first_pass
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_sss.so forward_pass
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
/etc/pam.d/common-password
password [success=2 default=ignore] pam_sss.so forward_pass
password [success=1 default=ignore] pam_unix.so obscure sha512
password requisite pam_deny.so
password required pam_permit.so
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_mkhomedir.so
session required pam_permit.so
session required pam_unix.so
session optional pam_sss.so
And some diff's :
# diff common-account common-account-bak
1,5d0
< account [default=bad success=ok user_unknown=ignore] pam_sss.so forward_pass use_first_pass
< account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
< account requisite pam_deny.so
< account required pam_permit.so
< account sufficient pam_localuser.so
6a2,4
> account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
> account requisite pam_deny.so
> account required pam_permit.so
# diff common-auth common-auth-bak
1,5c1,2
< auth [success=2 default=ignore] pam_sss.so forward_pass
< auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
< auth requisite pam_deny.so
< auth required pam_permit.so
<
---
> auth required pam_unix.so nullok_secure
> auth required pam_tally.so onerr=fail deny=5 per_user
# diff common-password common-password-bak
1,5c1,4
< password [success=2 default=ignore] pam_sss.so forward_pass
< password [success=1 default=ignore] pam_unix.so obscure sha512
< password requisite pam_deny.so
< password required pam_permit.so
<
---
> password requisite pam_cracklib.so retry=3 minlen=8 difok=3
> password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
> password requisite pam_deny.so
> password required pam_permit.so
# diff common-session common-session-bak
1,6d0
< session [default=1] pam_permit.so
< session requisite pam_deny.so
< session required pam_mkhomedir.so
< session required pam_permit.so
< session required pam_unix.so
< session optional pam_sss.so
7a2,7
> session [default=1] pam_permit.so
> session requisite pam_deny.so
> session required pam_permit.so
> session required pam_unix.so
> session optional pam_systemd.so
> session optional pam_ck_connector.so nox11
______________________________________________________________________________________________
Daniel E. White
daniel.e.white@nasa.gov
NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290
From:
FreeIPA <freeipa-users@lists.fedorahosted.org>
Reply-To: FreeIPA <freeipa-users@lists.fedorahosted.org>
Date: Tuesday, March 3, 2020 at 11:37
To: Jochen Kellner <jochen@jochen.org>, FreeIPA <freeipa-users@lists.fedorahosted.org>
Cc: Rob Crittenden <rcritten@redhat.com>, Daniel White <daniel.e.white@nasa.gov>
Subject: [EXTERNAL] [Freeipa-users] Re: A Debian Head-Scratcher
grep -rnI pam_sss /var/log /etc/pam.d
returns nothing on this Debian system
It is all over the CentOS system files.
Might this be an issue with the Debian freeipa-client package ?
Also, I am able to log in with my IdM credentials, just not as this test-user.
______________________________________________________________________________________________
Daniel E. White
daniel.e.white@nasa.gov
NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290