On (25/04/14 16:39), kevin sullivan wrote:
I am seeing an issue when I try to change a local user's password
when SSSD
(1.9.2-82.el6) is not running. I have two sets of users: users stored in
ldap and users stored locally on my RHEL 6.4 machine. When able, I want to
login as the ldap users and only fallback to the local users when I can't
contact the ldap server. This is why I have pam configured like this:
password requisite pam_cracklib.so retry=3 minlen=10
password sufficient pam_sss.so forward_pass use_authtok
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password required pam_deny.so
Why do you want to have pam_sss before pam_unix for password?
The following configuration works for me even with stopped sssd.
password requisite pam_pwquality.so try_first_pass local_users_only retry=3
authtok_type=
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password sufficient pam_sss.so use_authtok
password required pam_deny.so
LS