Problems with ocserv and Active Directory via SSSD Dear all,
I have installed ocserv, version 1.1.1-1~bpo10+1 on a Debian 10.7 machine. In the config file I changed the authentication to PAM. The Debian machine is successfully connected to our ActiveDirectory and I can login via SSH with my AD user and the corresponding password. Now I configured on my client openconnect and I logged in with user "root" and established the VPN connection. But if I try to do this with my AD user, the VPN connection will not established. I found in the /var/log/auth.log Dec 14 16:11:14 openconnect ocserv[2481]: pam_unix(ocserv:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=178.142.xxx.xxx user=testuser Dec 14 16:11:14 openconnect ocserv[2481]: pam_sss(ocserv:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=178.142.xxx.xxx user=testuser Dec 14 16:11:14 openconnect ocserv[2481]: pam_sss(ocserv:account): Access denied for user testuser: 6 (Permission denied) And the /var/log/daemon.log contains Dec 14 16:10:56 openconnect systemd[1]: ocserv.service: Succeeded. Dec 14 16:10:56 openconnect ocserv[2480]: note: skipping 'pid-file' config option Dec 14 16:10:56 openconnect ocserv[2480]: note: vhost:default: setting 'pam' as primary authentication method Dec 14 16:10:56 openconnect ocserv[2480]: note: setting 'file' as supplemental config option Dec 14 16:10:56 openconnect ocserv[2480]: listening (TCP) on 0.0.0.0:443... Dec 14 16:10:56 openconnect ocserv[2480]: listening (TCP) on [::]:443... Dec 14 16:10:56 openconnect ocserv[2480]: listening (UDP) on 0.0.0.0:443... Dec 14 16:10:56 openconnect ocserv[2480]: listening (UDP) on [::]:443... Dec 14 16:10:56 openconnect ocserv[2480]: main: Starting 1 instances of ocserv-sm Dec 14 16:10:56 openconnect ocserv[2480]: main: initialized ocserv 1.1.1 Dec 14 16:10:56 openconnect ocserv[2481]: sec-mod: reading supplemental config from files Dec 14 16:10:56 openconnect ocserv[2481]: sec-mod: sec-mod initialized (socket: /run/ocserv.socket.92fb8478.0) Dec 14 16:11:11 openconnect ocserv[2480]: note: skipping 'pid-file' config option Dec 14 16:11:11 openconnect ocserv[2480]: note: vhost:default: setting 'pam' as primary authentication method Dec 14 16:11:11 openconnect ocserv[2480]: note: setting 'file' as supplemental config option Dec 14 16:11:11 openconnect ocserv[2481]: sec-mod: sec-mod instance 0 issue cookie Dec 14 16:11:11 openconnect ocserv[2481]: sec-mod: using 'pam' authentication to authenticate user (session: whGVbd) Dec 14 16:11:11 openconnect ocserv[2481]: PAM-auth conv: echo-off, msg: 'Password: ' Dec 14 16:11:14 openconnect ocserv[2481]: PAM acct-mgmt error for 'testuser': Permission denied Dec 14 16:11:14 openconnect ocserv[2481]: PAM-auth pam_auth_pass: Permission denied Dec 14 16:11:14 openconnect ocserv[2482]: worker[testuser]: 178.142.xxx.xxx worker-auth.c:1713: failed authentication for 'testuser' Dec 14 16:11:14 openconnect ocserv[2480]: main:178.142.xxx.xxx:54073 user disconnected (reason: unspecified, rx: 0, tx: 0) Do you have any hints for me? All the best, Tobias -- Tobias Grychtol-Matthaeus Systemadministrator Informationstechnik Max-Planck-Institut für Marine Mikrobiologie Celsiusstr. 1 - D-28359 Bremen - Raum R1130 Telefon: +49 421 2028-5720 E-Mail: tgrym...@mpi-bremen.de ******************************************************************************************************************************************************************************** Achtung, neue Telefondurchwahl ab 4.12.202! Bitte hängen Sie an die bisherige Durchwahl des Mitarbeitenden am Max-Planck-Institut für Marine Mikrobiologie eine -0 an, aus +49 421 2028-123 wird also +49 421 2028-1230. Bei Faxnummern muss eine -8 angehängt werden. Aus +49 421 2028-565 wird also +49 421 2028-5658 Attention, new telephone extension starting Decmber 4th, 2020 ! Please add a -0 to the previous extension of your contact at the Max Planck Institute for Marine Microbiology, i.e. +49 421 2028-123 becomes +49 421 2028-1230. For fax numbers a -8 has to be added. I.e. +49 421 2028-565 becomes +49 421 2028-5658 ******************************************************************************************************************************************************************************** _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
