| | 36 | You will also need to make sure to use this SSSD configuration in PAM. Update /etc/nsswitch.conf accordingly: |
| | 37 | {{{ |
| | 38 | passwd: files sss |
| | 39 | shadow: files sss |
| | 40 | group: files sss |
| | 41 | netgroup: files sss |
| | 42 | }}} |
| | 43 | |
| | 44 | Also, update /etc/pam.d/system-auth-ac and password-auth-ac to include references to sss: |
| | 45 | {{{ |
| | 46 | #%PAM-1.0 |
| | 47 | # This file is auto-generated. |
| | 48 | # User changes will be destroyed the next time authconfig is run. |
| | 49 | auth required pam_env.so |
| | 50 | auth sufficient pam_unix.so nullok try_first_pass |
| | 51 | auth requisite pam_succeed_if.so uid >= 100 quiet |
| | 52 | auth sufficient pam_sss.so use_first_pass |
| | 53 | auth required pam_deny.so |
| | 54 | |
| | 55 | account required pam_unix.so broken_shadow |
| | 56 | account sufficient pam_localuser.so |
| | 57 | account sufficient pam_succeed_if.so uid < 100 quiet |
| | 58 | account [default=bad success=ok user_unknown=ignore] pam_sss.so |
| | 59 | account required pam_permit.so |
| | 60 | |
| | 61 | password requisite pam_cracklib.so try_first_pass retry=3 type= |
| | 62 | password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok |
| | 63 | password sufficient pam_sss.so use_authtok |
| | 64 | password required pam_deny.so |
| | 65 | |
| | 66 | session optional pam_keyinit.so revoke |
| | 67 | session required pam_limits.so |
| | 68 | session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid |
| | 69 | session required pam_unix.so |
| | 70 | session optional pam_sss.so |
| | 71 | }}} |
