On Thu, May 09, 2013 at 10:58:52AM +0000, David Frost wrote: > Hi, > > Thanks for the help, I increased the debug level and found that it was my > ldap_access_filter that wasn't allowing the user to login. It just happened > that the error in the log was saying the account had expired, when really it > hadn't. >
Does the login work now? > Initially I too thought it may have been missing attributes, but turned out > not to be the case. > I think this is bad error reporting on the sshd side, according to the /var/log/secure snippet, SSSD returned PAM_PERM_DENIED as expected. > Thanks again, > Regards David. > > From: David Frost > Sent: Wednesday, May 08, 2013 12:27 PM > To: 'sssd-devel@lists.fedorahosted.org' > Subject: SSSD with SSH and PAM Account Expired > > Hi, having configured SSSD on RHEL 6.4 to connect to our OpenLDAP server > successfully, I can get a list of users and groups using the getent command > but cannot ssh into the host or login via the console. > > The following error message is returned in /var/log/secure: > > May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:auth): authentication > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.21.1 user=jimbob > May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:account): Access denied > for user jimbob: 6 (Permission denied) > May 8 12:18:26 rh-test-mg01 sshd[6658]: error: PAM: User account has expired > for jimbob from 10.21.21.1 > > These are my ldap details: > > # extended LDIF > # > # LDAPv3 > # base <uid=jimbob,ou=people,dc=XXX,dc=com> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # jimbob, People, XXX.com > dn: uid=jimbob,ou=People,dc=XXX,dc=com > givenName: Jim > sn: Bob > uid: jimbob > uidNumber: 1081 > homeDirectory: /home/jimbob > loginShell: /bin/bash > cn: Jim Bob > gidNumber: 1398 > mail: jim....@xxx.com<mailto:jim....@xxx.com> > userPassword:: XXX > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > objectClass: ldapPublicKey > objectClass: shadowAccount > > > If I comment out the following line in /etc/pam.d/password-auth then I can > login via ssh but still not the console. > > #account [default=bad success=ok user_unknown=ignore] pam_sss.so > > Any help would be greatly appreciated. > > Thanks in advance, David. > > Truphone Limited, registered in England and Wales (registered company number: > 04187081). Registered office: 4 Royal Mint Court, London EC3N 4HJ. VAT No. GB > 851 5278 19 > > This e-mail, and any attachment(s), may contain information which is > confidential and/or privileged, and is intended for the addressee only. If > you are not the intended recipient, you may not use, disclose, copy or > distribute this information in any manner whatsoever. If you have received > this e-mail in error, please contact the sender immediately and delete it. > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
