On (11/05/15 14:57), Vangass wrote: >Hi, > >I try to access Cisco switch via ssh. Cisco has tacacs login configured. > ># tail /var/log/secure >May 11 14:18:46 freeipa tac_plus[29096]: pam_sss(tac_plus:auth): >authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost= >user=bartosz >May 11 14:18:53 freeipa tac_plus[29096]: pam_sss(tac_plus:auth): >authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost= >user=test > >User bartosz is added in HBAC rule as Specified Users and Groups. >User test exist in FreeIPA but isn't in HBAC rule and shouldn't be >autheniticated. > ># cat /etc/sssd/sssd.conf >[domain/test.example.com] >debug_level = 6 >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = test.example.com >id_provider = ipa >auth_provider = ipa >access_provider = ipa >ipa_hostname = freeipa.test.example.com >chpass_provider = ipa >ipa_server = freeipa.test.example.com >ipa_server_mode = True >ldap_tls_cacert = /etc/ipa/ca.crt > >[sssd] >services = nss, sudo, pam, ssh >config_file_version = 2 >domains = test.example.com > >[nss] >homedir_substring = /home > >[pam] >debug_level = 6 >domains = test.example.com > >[sudo] > >[autofs] > >[ssh] > >[pac] > >[ifp] > > >#cat /var/log/sssd/sssd_pam.log >(Mon May 11 14:40:28 2015) [sssd[pam]] [accept_fd_handler] (0x0400): Client >connected to privileged pipe! >(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): >Received client version [3]. >(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): >Offered version [3]. >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100): >entering pam_cmd_authenticate >(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_parse_name_for_domains] >(0x0200): name 'test' matched without domain, user is test >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command: >PAM_AUTHENTICATE >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: >not set >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service: >tac_plus >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not >set >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: >not set >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: >not set >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok >type: 1 >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): >newauthtok type: 0 >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: >29218 >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon >name: test >(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): >Issuing request for [0x7f4f20215ed0:3:[email protected]] >(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): >Creating request for [test.example.com][3][1][name=test] >(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): >Entering request [0x7f4f20215ed0:3:[email protected]] >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0100): >Requesting info for [[email protected]] >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0400): >Returning info for user [[email protected]] >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending >request with the following data: >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command: >PAM_AUTHENTICATE >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: >test.example.com >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service: >tac_plus >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not >set >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: >not set >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: >not set >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok >type: 1 >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): >newauthtok type: 0 >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: >29218 >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon >name: test >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): >pam_dp_send_req returned 0 >(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): >Deleting request: [0x7f4f20215ed0:3:[email protected]] >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): >received: [0][test.example.com] >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply >called with result [0]. >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply >called with result [0]. >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 81 >(Mon May 11 14:40:28 2015) [sssd[pam]] [client_recv] (0x0200): Client >disconnected! > ># cat /var/log/sssd/sssd_test.example.com.log >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[be_get_account_info] (0x0200): Got request for [0x3][1][name=test] >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [be_req_set_domain] >(0x0400): Changing request domain from [test.example.com] to [ >test.example.com] >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse >domain SID from [(null)] >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse >domain SID from [(null)] >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_get_initgr_next_base] (0x0400): Searching for users with base >[cn=accounts,dc=test,dc=example,dc=com] >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >[(&(uid=test)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=test,dc=example,dc=com]. >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no >errmsg set >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [sdap_save_user] >(0x0400): Save user >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_get_primary_name] (0x0400): Processing object test >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [sdap_save_user] >(0x0400): Processing user test >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse >domain SID from [(null)] >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [sdap_save_user] >(0x0400): Adding original memberOf attributes to [test]. >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [sdap_save_user] >(0x0400): Adding user principal [[email protected]] to attributes of >[test]. >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [sdap_save_user] >(0x0400): Storing info for user test >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_get_primary_name] (0x0400): Processing object test >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >[(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=test,dc=example,dc=com]. >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no >errmsg set >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_get_primary_name] (0x0400): Processing object ipausers >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse >domain SID from [(null)] >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_get_groups_next_base] (0x0400): Searching for groups with base >[cn=accounts,dc=test,dc=example,dc=com] >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >[(&(gidNumber=732000003)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=test,dc=example,dc=com]. >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no >errmsg set >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse >domain SID from [(null)] >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_nested_group_recv] (0x0400): 0 users found in the hash table >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_nested_group_recv] (0x0400): 1 groups found in the hash table >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_get_primary_name] (0x0400): Processing object test >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [sdap_save_group] >(0x0400): Processing group test >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse >domain SID from [(null)] >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_process_ghost_members] (0x0400): The group has 0 members >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_process_ghost_members] (0x0400): Group has 0 members >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [sdap_save_group] >(0x0400): Storing info for group test >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_get_primary_name] (0x0400): Processing object test >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [sdap_save_grpmem] >(0x0400): Processing group test >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [sdap_save_grpmem] >(0x0400): Failed to get group sid >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [sdap_save_grpmem] >(0x0400): No members for group [test] >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >[(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:test.example.com:b8e22526-f4c0-11e4-8865-005056a8f368))][cn=Default >Trust View,cn=views,cn=accounts,dc=test,dc=example,dc=com]. >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[sdap_get_generic_op_finished] (0x0400): Search result: No such object(32), >no errmsg set >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [acctinfo_callback] >(0x0100): Request processed. Returned 0,0,Success >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [be_req_set_domain] >(0x0400): Changing request domain from [test.example.com] to [ >test.example.com] >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [be_pam_handler] >(0x0100): Got request with the following data >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [pam_print_data] >(0x0100): command: PAM_AUTHENTICATE Here just authentication was performed. It coresponds to the line "auth required pam_sss.so" in your pam stack.
>(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [pam_print_data] >(0x0100): domain: test.example.com >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [pam_print_data] >(0x0100): user: test >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [pam_print_data] >(0x0100): service: tac_plus >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [pam_print_data] >(0x0100): tty: >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [pam_print_data] >(0x0100): ruser: >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [pam_print_data] >(0x0100): rhost: >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [pam_print_data] >(0x0100): authtok type: 1 >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [pam_print_data] >(0x0100): newauthtok type: 0 >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [pam_print_data] >(0x0100): priv: 1 >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [pam_print_data] >(0x0100): cli_pid: 29218 >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [pam_print_data] >(0x0100): logon name: not set >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[be_resolve_server_process] (0x0200): Found address for server >freeipa.test.example.com: [172.21.0.20] TTL 7200 >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[write_pipe_handler] (0x0400): All data has been sent! >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [child_sig_handler] >(0x0100): child [29226] finished successfully. >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] [read_pipe_handler] >(0x0400): EOF received, client finished >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[fo_set_port_status] (0x0100): Marking port 0 of server ' >freeipa.test.example.com' as 'working' >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[set_server_common_status] (0x0100): Marking server ' >freeipa.test.example.com' as 'working' >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[fo_set_port_status] (0x0400): Marking port 0 of duplicate server ' >freeipa.test.example.com' as 'working' >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) >[Success] ^^^^^^^^ Result of authentication is "Success" which means that password is correct. >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[be_pam_handler_callback] (0x0100): Sending result [0][test.example.com] >(Mon May 11 14:40:28 2015) [sssd[be[test.example.com]]] >[be_pam_handler_callback] (0x0100): Sent result [0][test.example.com] > I could not see authorisation phase; neither in sssd_pam log nor in sssd_$domain.log. It means that you either shared just part of log file or that your application did not reach/try line "account" in pam stack "account required pam_sss.so" In this case you would able to see PAM_ACCT_MGMT in log files. sssd seems to work as expected. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
