1

I'm putting centralized authentication in my LAN infrastructure. The LDAP server is up and running, and all Debian/Ubuntu servers manage to authenticate users against the LDAP.

Now, all my CentOS8/Fedora32 machines just cannot. First, the client-side configuration is based on sssd, which differs a lot, but even then, once I've completed the client config, I can, typing id $USER get all of the user's UID, GIDs, etc, so I know that the config is sane.

Now, from the newly-configured as root, let's say I do this:
# su - USER1 --> succeeds, without asking a passwd (of course), creates the home dir
# su - USER2 --> (as root, again), succeeds again
now... as USER2:
USER2$ su - USER1 --> will prompt for USER1's password, and will fail.

From any other machine:
ssh USER1@LDAPCLIENT --> fails same for any other user.

This makes me think that there might be something in the way that RH-based machines interpret passwords, regardless of the backend. I'm no expert in PAM, SSSD or any security mechanism, so I do not know.

Anyone knows enough about SSSD, PAM, NSS on RH vs Debian to enlighten me ?

J.F.Gratton
  • 75
  • 1
  • 10

1 Answers1

1

It's likely you've got sssd integrated into nsswitch but not pam.

If grep sss /etc/pam.d/* yields nothing, run sudo authconfig --enablesssdauth --update.

84104
  • 12,905
  • 6
  • 45
  • 76
  • No, pam_sss.so is present in /etc/pam.d/{fingerprint,password,system}-auth Would you need config files that I'd publish on gist to clear this up ? I'm totally at loss here. I totally rule out the LDAP, as I said, debian-based machines and VMs authentify against it. – J.F.Gratton Jun 30 '20 at 20:50