Hi, I resolved cert issue. But there is one more thing I wonder. The configuration I use for system-auth in redhat 5.7 does not work for Centos 6.2 In 6.2 it without pam_sss it works. How does it happen if there is no sssd pam module in system-auth. I am also sure the authentication is made through sssd
For instance i use the below configuration on 5.7; # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 #password required pam_passwdqc.so enforce=users min=disabled,16,12,8,6 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session sufficient pam_sss.so But in 6.2 below configuration works without pam_sss. there are only ldap pam modules. But I checked the authentication is made through sssd. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so How does this happen? On Thu, Feb 9, 2012 at 9:35 PM, Jakub Hrozek <[email protected]> wrote: > On Thu, Feb 09, 2012 at 09:10:04PM +0200, Aziz Sasmaz wrote: > > hi, > > ldap is working fine without sssd. When sssd enabled, getent works > fine it > > gets all the user info. > > The LDAP connection we use to get user information is not encrypted by > default. > > > When I try to make ssh connection to sssd enabled server, I see below > > debug entries in ldap servers log file. > > The authentication requests must be encrypted to prevent password being > sent in the clear. That's where you are hitting the TLS errors. > > > The certs are created in gentoo > > machines. But I use the certs in centos also. I have one gentoo > > ldap-provider server and 2 gentoo ldap-consumer server. > > This centos machine is the 3th ldap consumer server. when I point > gentoo > > ldap servers in sssd.conf file sssd works fine. But when I point > centos > > ldap server in sssd.conf I got error when I try to make ssh > connection to > > that server. > > TLS: loaded CA certificate file /etc/openldap/ssl/cacert.pem. > > TLS: certificate [[email protected],CN=ldap01.jazzy.com,O=Jazzy > > Hizmetler A.S,L=Istanbul,ST=Sisli,C=TR] is not valid - error > -8181:Unknown > > code ___f 11. > > moznss error -8181 (SEC_ERROR_BAD_SIGNATURE) means that the certificate > is not signed properly. > > Perhaps the CentOS server does not trust the issuing CA you signed the > certificate with? > > > TLS: certificate [[email protected],CN=jazzy.com,O=Jazzy > Hizmetler > > A.S.,ST=Sisli,C=TR] is not correct because it is a CA cert and the > > BasicConstraint CA flag is set to FALSE - allowing for now, but > please fix > > your certs if possible > > TLS: error: unable to find and verify server's cert and key for > > certificate PEM Token #0:servercrt.pem - 0 > > TLS: error: could not initialize moznss security context - error > > -8156:Unknown code ___f 36 > > TLS: can't create ssl handle. > > connection_read(19): TLS accept failure error=-1 id=1001, closing > > connection_closing: readying conn=1001 sd=19 for close > > sssd conf: > > [domain/azldap.jazzy.com] > > id_provider = ldap > > auth_provider = ldap > > chpass_provider = ldap > > ldap_schema = rfc2307 > > ldap_uri = ldaps://172.16.10.48 > > ldap_search_base = dc=jazzy,dc=com > > ldap_tls_reqcert = allow > > cache_credentials = true > > enumerate = true > > entry_cache_timeout = 5400 > > ldap_user_gecos = uid > > Thanks, > > AS > > On Thu, Feb 9, 2012 at 3:12 PM, Jakub Hrozek <[email protected]> > wrote: > > > > On Thu, Feb 09, 2012 at 01:44:35PM +0200, Aziz Sasmaz wrote: > > > Hi, > > > sssd gives below error when it tries to connect to my ldap > server > > . My > > > ldap server is CentOS release 6.2 (Final) and the servers > using > > sssd is > > > the same. > > > In one of my datacenters i use gentoo ldap servers and > redhat(5) > > sssd > > > servers and i got no errors with the same configuration > parameters. > > > It says below "something bad happened". what is that > something? > > could you > > > please help me regarding this error? > > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > > [set_server_common_status] (4): Marking server '172.16.10.48' > as > > 'working' > > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > > [simple_bind_send] (4): Executing simple bind as: > > > uid=aziz,ou=People,dc=bilyoner,dc=com > > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > > [sdap_process_result] (4): ldap_result gave -1, something bad > > happend! > > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > > [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) > > [Internal > > > Error (System error)] > > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > > [be_pam_handler_callback] (4): Sending result > > [4][azldap.bilyoner.com] > > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > > [be_pam_handler_callback] (4): Sent result [4][ > azldap.bilyoner.com] > > > Thanks, > > > AS > > > > Unfortunately the LDAP library does not pass any extra information > > except the "something bad happened" sentence to the client side. > > > > Do you have access to the server logs? Can you check if there is any > > useful information there? > > > > My guess would be to check for any certificate issues. > > _______________________________________________ > > sssd-devel mailing list > > [email protected] > > https://fedorahosted.org/mailman/listinfo/sssd-devel > > > _______________________________________________ > > sssd-devel mailing list > > [email protected] > > https://fedorahosted.org/mailman/listinfo/sssd-devel > > _______________________________________________ > sssd-devel mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/sssd-devel >
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
