Hi all, In our setup, we run into the following problem: When sssd is configured, the authentication against ldap fails, but succeeds against kerberos/AD. Our ldap/edirectory guru has, as far as he is concerned, pinned the problem down due to the fact that ldap authentication fails with the logging saying "password failed":
Here's the part in /var/log/secure: Aug 30 11:45:36 hpdw0001 sshd[27645]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= hpdw0001.ddns.nl-htc01.nxp.com user=nxp21358 Aug 30 11:45:36 hpdw0001 sshd[27645]: pam_sss(sshd:auth): received for user nxp21358: 6 (Permission denied) Aug 30 11:45:38 hpdw0001 sshd[27645]: Failed password for nxp21358 from 134.27.211.178 port 51963 ssh2 And the part in /var/log/sssd/ (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (6): calling ldap_search_ext with [(&(uid=nxp21358)(objectclass=NxpUserAuxClass))][ou=TS T_EMEA_NL-TST01,ou=Locations,ou=NXDI,o=NXP]. (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [objectClass] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [uid] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [userPassword] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [uidNumber] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [gidNumber] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [gecos] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [homeDirectory] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [loginShell] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [krbPrincipalName] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [cn] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [modifyTimestamp] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [shadowLastChange] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [shadowMin] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [shadowMax] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [shadowWarning] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [shadowInactive] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [shadowExpire] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [shadowFlag] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [krbLastPwdChange] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [krbPasswordExpiration] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (7): Requesting attrs: [pwdAttribute] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_send] (8): ldap_search_ext called, msgid = 9 (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0x4d1eeb0], connected[1], ops[0x4d5be80], ldap[0x4d1f060] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_parse_entry] (9): OriginalDN: [cn=nxp21358,ou=Personal,ou=People,ou=NXDI,o=NXP]. (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0x4d1eeb0], connected[1], ops[0x4d5be80], ldap[0x4d1f060] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_generic_done] (6): Search result: Success(0), (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_get_initgr_user] (9): Receiving info for the user (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0x4d1eeb0], connected[1], ops[(nil)], ldap[0x4d1f060] (Mon Aug 30 11:45:33 2010) [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: ldap_result found nothing! Now, browsing through the options that can be set, we sat that we were able to set an ldap_default_authtok_type. However, the only possible option here is "password". However, the object "password" is unknown in eDirectory. All other options can be set/remapped to other attributes, and this particular one cannot. Is there a work around for this that anyone knows of ? best regards, Andy
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
