I'm using openSUSE Leap 15.1 on a machine which was previously configured
with samba/winbind for enumeration of users from a Microsoft AD. It was
also possible for those users to login to the machine.
After upgrades and changes to the domain controllers (Windows Server
2019), I got lots of winbind errors in the logs.
I decided to do a fresh start and use sssd instead of winbind. I
configured it using realmd (realmd join mydomain.xxx --user myadminuser),
and it worked quite well. I also configured ssh login in the following
(please forgive the strange stuff in the auth section, but after some
fighting it worked :))
if (with_krb5 || with_ldap || with_lum || with_winbind || with_sss)
fprintf (fp, "account\trequisite\tpam_unix.so\t");
fprintf (fp, "account\trequired\tpam_unix.so\t");
QUESTION: Why does pam-config use account "requisite" for pam_unix.so in
case of pam_sss presence? I'd expect "required", and that also works
if I change it manually. But unfortunately, my changes are lost every time
pam-config is run again ...
Also, pam_sss should be "sufficient" afterwards, not "required" ...
(At least that works, and while I've learned a lot about PAM during the
last days, I'm not there yet I think :)