4

Does the server or a specific service needs to be restarted to let changes to pam files (/etc/pam.d/system-auth) take effect?

longer version - I'm working on configuring SSSD to connect with LDAP for authentication purposes. The system is RHEL6 based and SSSD is already configured to work in the fashion in multiple other RHEL6 servers in this environment. On these other server whenever a user accesses the system it shows in /var/log/secure similar to below for successful or failed attempts. 

sshd[1489]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=ipaddress user=user

sshd[1664]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=server user=user

These log messages aren't showing in /var/log/secure and the users aren't able to login to the server. Despite this, getent passwd and getent group does return the expected LDAP users and groups. Everything looks fine for permissions with the certificate directory, /etc/pam.d/system-auth and /etc/sssd/sssd.conf.

dawud
  • 14,918
  • 3
  • 41
  • 61
omnivir
  • 99
  • 1
  • 1
  • 3
  • Set `LogLevel DEBUG` in `sshd`, set `debug_level = 9` in the relevant domain of your `sssd.conf`, restart both services and see if you can see anything useful in the logs. – dawud Mar 31 '15 at 14:43

2 Answers2

5

No, you don't need to restart any services after changing PAM configs. Maybe you could run tail -f /var/log/messages /var/log/secure /var/log/audit/audit.log on both systems while trying to access your LDAP server.

Markus
  • 174
  • 4
-1

Figured it out. I had everything set properly except for /etc/pam.d/password-auth

sigh... Now that it's working I can go continuously reapply forehead to desk for missing something so simple.

Thanks for the help everyone! :)

omnivir
  • 99
  • 1
  • 1
  • 3
  • 3
    Can you please edit your answer this to make it a little more applicable for posterity and others? Why did you need to add stuff to password-auth? Thanks. – Gray Feb 15 '19 at 15:34