Hi William, the pam, for users created manually is working fine to me. The only problem is related to synced users from AD whch seems doesn't have all the necessary objectClasses. However, this is ldapserver pam service: # here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_unix.so nullok auth [success=1 default=ignore] pam_sss.so use_first_pass debug # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config and this is sssd.con file: [sssd] domains = lab.local config_file_version = 2 services = nss, pam debug_level = 10 [domain/lab.local] default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = LAB.LOCAL realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u@%d ad_domain = lab.local use_fully_qualified_names = False ldap_id_mapping = True access_provider = ad #enumerate = true auth_provider = ad chpass_provider = ad ldap_schema = ad dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600 Hope to have a soonest reply from you. Best Regards _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
