On Wed, May 08, 2013 at 11:27:18AM +0000, David Frost wrote: > Hi, having configured SSSD on RHEL 6.4 to connect to our OpenLDAP server > successfully, I can get a list of users and groups using the getent command > but cannot ssh into the host or login via the console. > > The following error message is returned in /var/log/secure: > > May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:auth): authentication > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.21.1 user=jimbob > May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:account): Access denied > for user jimbob: 6 (Permission denied) > May 8 12:18:26 rh-test-mg01 sshd[6658]: error: PAM: User account has expired > for jimbob from 10.21.21.1 > > These are my ldap details: > > # extended LDIF > # > # LDAPv3 > # base <uid=jimbob,ou=people,dc=XXX,dc=com> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # jimbob, People, XXX.com > dn: uid=jimbob,ou=People,dc=XXX,dc=com > givenName: Jim > sn: Bob > uid: jimbob > uidNumber: 1081 > homeDirectory: /home/jimbob > loginShell: /bin/bash > cn: Jim Bob > gidNumber: 1398 > mail: jim....@xxx.com > userPassword:: XXX > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > objectClass: ldapPublicKey > objectClass: shadowAccount
Maybe some attributes of shadowAccount indicate that the account is expired? They might not be visible for an anonymous bind. > > > If I comment out the following line in /etc/pam.d/password-auth then I can > login via ssh but still not the console. > > #account [default=bad success=ok user_unknown=ignore] pam_sss.so > > Any help would be greatly appreciated. If you mean by console the text terminal then it makes sense, because the login program uses system-auth instead of password-auth in it's pam configuration. Nevertheless I would recommend to modify the SSSD configuration instead of the PAM configuration. I assume that you have configured an access_provider in your sssd.conf, see man sssd.conf for details. If you remove the access_provider entry it should work for all services. To find out about why SSSD thinks that the account is expired logs with a high debug level are needed, but as said before I assume that the shadow attributes might be the reason. HTH bye, Sumit P.S. Please consider to subscribe to sssd-devel so that you do not have to wait until your email gets moderated. > > Thanks in advance, David. > > Truphone Limited, registered in England and Wales (registered company number: > 04187081). Registered office: 4 Royal Mint Court, London EC3N 4HJ. VAT No. GB > 851 5278 19 > > This e-mail, and any attachment(s), may contain information which is > confidential and/or privileged, and is intended for the addressee only. If > you are not the intended recipient, you may not use, disclose, copy or > distribute this information in any manner whatsoever. If you have received > this e-mail in error, please contact the sender immediately and delete it. > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
