We have two types of servers we are supporting in production.
Suse 10.2 and Suse 11.0
We have a setup where our Linux servers are integrated with Active directory via samba/winbind/kerberos.
So local linux accounts authenticate normally, and domain accounts go against AD.
We had a situation where we have an AD account, that we also want to be a local only linux account.
So we configured pam with the pam_localuser.so module to check if the account is local to the system, and if so, skip the domain login.
This is accomplished by the following in common-password
password [default=ignore success=1] pam_localuser.so
password sufficient pam_winbind.so
password required pam_unix2.so nullok
This works great on the 11.0 servers. When we tried this on the 10.2 servers, entering password only brings up the NT option to change password.
password sufficient pam_winbind.so
password required pam_unix2.so nullok
This works great on the 11.0 servers. When we tried this on the 10.2 servers, entering password only brings up the NT option to change password.
On the 10.2 server, when we try and run passwd to test changing local system passwd, in /var/log/messages I see:
PAM unable to resolve symbol: pam_sm_chauthtok
If I remove the pam_localuser.so then I no longer see the pam_sm_chauthok messages, but I also can't get passwd command to change account password locally for the account that is AD and local.
Any ideas on how to fix or work-around?
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
