Re: [SSSD] SSSD with SSH and PAM Account Expired

Thu, 09 May 2013 04:34:36 -0700 

Hi,

Thanks for the help, I increased the debug level and found that it was my 
ldap_access_filter that wasn't allowing the user to login. It just happened 
that the error in the log was saying the account had expired, when really it 
hadn't.

Initially I too thought it may have been missing attributes, but turned out not 
to be the case.

Thanks again,
Regards David.

From: David Frost
Sent: Wednesday, May 08, 2013 12:27 PM
To: 'sssd-devel@lists.fedorahosted.org'
Subject: SSSD with SSH and PAM Account Expired

Hi, having configured SSSD on RHEL 6.4 to connect to our OpenLDAP server 
successfully, I can get a list of users and groups using the getent command but 
cannot ssh into the host or login via the console.

The following error message is returned in /var/log/secure:

May  8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:auth): authentication 
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.21.1 user=jimbob
May  8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:account): Access denied 
for user jimbob: 6 (Permission denied)
May  8 12:18:26 rh-test-mg01 sshd[6658]: error: PAM: User account has expired 
for jimbob from 10.21.21.1

These are my ldap details:

# extended LDIF
#
# LDAPv3
# base <uid=jimbob,ou=people,dc=XXX,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# jimbob, People, XXX.com
dn: uid=jimbob,ou=People,dc=XXX,dc=com
givenName: Jim
sn: Bob
uid: jimbob
uidNumber: 1081
homeDirectory: /home/jimbob
loginShell: /bin/bash
cn: Jim Bob
gidNumber: 1398
mail: jim....@xxx.com<mailto:jim....@xxx.com>
userPassword:: XXX
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: ldapPublicKey
objectClass: shadowAccount


If I comment out the following line in /etc/pam.d/password-auth then I can 
login via ssh but still not the console.

#account     [default=bad success=ok user_unknown=ignore] pam_sss.so

Any help would be greatly appreciated.

Thanks in advance, David.

Truphone Limited, registered in England and Wales (registered company number: 
04187081). Registered office: 4 Royal Mint Court, London EC3N 4HJ. VAT No. GB 
851 5278 19

This e-mail, and any attachment(s), may contain information which is 
confidential and/or privileged, and is intended for the addressee only. If you 
are not the intended recipient, you may not use, disclose, copy or distribute 
this information in any manner whatsoever. If you have received this e-mail in 
error, please contact the sender immediately and delete it.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to