From owner-freebsd-security@freebsd.org  Mon Nov 14 09:26:39 2016
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0B3BAC40A06
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Mon, 14 Nov 2016 09:26:39 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id CA1F41F41
 for <freebsd-security@freebsd.org>; Mon, 14 Nov 2016 09:26:38 +0000 (UTC)
 (envelope-from des@des.no)
Received: from desk.des.no (smtp.des.no [194.63.250.102])
 by smtp.des.no (Postfix) with ESMTP id 8ACCEB795;
 Mon, 14 Nov 2016 09:26:30 +0000 (UTC)
Received: by desk.des.no (Postfix, from userid 1001)
 id 842F2420E; Mon, 14 Nov 2016 10:26:25 +0100 (CET)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Ronny Forberger <ronnyforberger@ronnyforberger.de>
Cc: Alan Hicks via freebsd-security <freebsd-security@freebsd.org>
Subject: Re: I have no name prompt and no passwords recognized
References: <585949692.395252.1478970441730.JavaMail.open-xchange@app04.ox.hosteurope.de>
 <0ebb4aa6-58bd-4420-42fb-ba8bc2383243@p-o.co.uk>
 <1398329212.417534.1479032950521.JavaMail.open-xchange@app03.ox.hosteurope.de>
 <1177095935.420844.1479053158201.JavaMail.open-xchange@app03.ox.hosteurope.de>
Date: Mon, 14 Nov 2016 10:26:25 +0100
Message-ID: <8660nq9zum.fsf@desk.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2016 09:26:39 -0000

Ronny Forberger <ronnyforberger@ronnyforberger.de> writes:
> # auth
> auth sufficient pam_opie.so no_warn no_fake_prompts
> auth requisite pam_opieaccess.so no_warn allow_local
> #auth sufficient pam_krb5.so no_warn try_first_pass
> #auth sufficient pam_ssh.so no_warn try_first_pass
> auth sufficient /usr/local/lib/pam_sss.so
> auth required pam_unix.so no_warn try_first_pass nullok

I don't have the answer to your question, but I'd like to point out that
you don't need to include the full path to the module.  PAM will look in
/usr/local/lib if it can't find the module in /usr/lib.  You can even
leave out the .so suffix (since OpenPAM Nummularia / FreeBSD 9.3)

Two other things: 1) make sure the service you're trying to use actually
uses the system policy or a policy that includes it (sshd doesn't) and
2) if you add the "debug" keyword to every pam_sss line in your PAM
policy, OpenPAM will log every call to the pam_sss module, everything it
does on behalf of that module, and the outcome of the call through
syslog (by default, it should go to /var/log/debug.log).

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no