Package: sssd-ldap Version: 1.14.1-1 Severity: important Dear Maintainer,
pam-sss doesn't allow login to LDAP users: Oct 13 10:58:38 walrus sshd[4488]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=****** user=***** Oct 13 10:58:38 walrus sshd[4488]: pam_sss(sshd:auth): received for user *****: 4 (System error) On LDAP server ldap.log: Oct 13 11:36:37 ldap slapd[665]: conn=1629798 fd=23 ACCEPT from IP=********:51332 (IP=0.0.0.0:389) Oct 13 11:36:37 ldap slapd[665]: conn=1629798 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 13 11:36:37 ldap slapd[665]: conn=1629798 op=0 STARTTLS Oct 13 11:36:37 ldap slapd[665]: conn=1629798 op=0 RESULT oid= err=0 text= Oct 13 11:36:37 ldap slapd[665]: conn=1629798 fd=23 closed (TLS negotiation failure) this is confirmed on /var/log/sss/LDAP.log (debuglevel 6) [...] (Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [sdap_sys_connect_done] (0x0100): Executing START TLS (Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [sdap_connect_done] (0x0080): START TLS result: Success(0), (null) (Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ldap.example.org' as 'working' (Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [set_server_common_status] (0x0100): Marking server 'ldap.example.org' as 'working' (Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'ldap.example.org' as 'working' (Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [simple_bind_send] (0x0100): Executing simple bind as: uid=user,ou=people,dc=example,dc=org (Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [sdap_process_result] (0x0040): ldap_result error: [Can't contact LDAP server] (Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #14]: Request handler finished [0]: Successo (Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #14]: Receiving request data. [...] ldapsearch -x -ZZ ... works fine. My /etc/sssd/sssd.conf is: [sssd] config_file_version = 2 services = nss, pam # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. domains = LDAP [nss] [pam] # Example LDAP domain [domain/LDAP] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 ldap_uri = ldap://ldap.example.org ldap_search_base = dc=example,dc=org ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt cache_credentials = true enumerate = False There is also another sssd malfunctioning worth mentioning: root@walrus:/var/log/sssd# sssctl domain-list Unable to get domains list [3]: Communication error org.freedesktop.DBus.Error.Spawn.ExecFailed: Cannot launch daemon, file not found or permissions invalid I don't know if it's related or actually cares at all. Thank you so much for your time, Francesco -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.7.0-1-amd64 (SMP w/1 CPU core) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages sssd-ldap depends on: ii libc6 2.24-3 ii libldap-2.4-2 2.4.42+dfsg-2+b3 ii libsss-idmap0 1.14.1-1 ii sssd-common 1.14.1-1 ii sssd-krb5-common 1.14.1-1 Versions of packages sssd-ldap recommends: ii ldap-utils 2.4.42+dfsg-2+b3 Versions of packages sssd-ldap suggests: pn libsasl2-modules-ldap <none> -- no debconf information -- Servizio gestione identità Via Campi, 213/b 41125 Modena
