Hi Jakub,

Greatly appreciate you taking the time and providing help!

Answer to your questions:

1) Can you also include debugging from the pam responder?

Hmmm, yes - I want to, but having issues enabling the logging to: sssd_pam.log

Seems like I have everything going to:  sssd_LDAP.log

Obviously, I'm a unix newbie. If you can provide how to enable that would be greatly appreciated. Wasn't clear with syslog enabling?


2)I would suggest to not use enumerate=true unless some legacy application
needs that.
I've updated this to:   enumerate=false


3) Why do you have two domains defined with the same server but access
control defined only in the first one.

Hmmm, not sure here what 'defined only in the first one'? I'm sure it's a configuration setup issue on my part in not understanding.



4)The PAM config looks OK to me, although you might want to re-run
# authconfig --enablesssdauth --enablesssd --update
to make sure.
So... I entered "authconfig --enablesssdauth --enablesssd --update" on the cmd line but didn't see anything.


 5) Did you include 'sss' to /etc/nsswitch.conf?


#passwd:     files sss
#shadow:     files sss
#group:      files sss
passwd:     files sss
group:      files sss
sudoers:     files sss

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files
aliases:    files nisplus
initgroups: files sss
shadow:     files sss


What does /var/log/secure say when you attempt to authenticate?

Jul 28 14:54:10 ldap01 sshd[26892]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=54.215.207.210 user=test1234 Jul 28 14:54:10 ldap01 sshd[26892]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=54.215.207.210 user=test1234 Jul 28 14:54:10 ldap01 sshd[26892]: pam_sss(sshd:auth): received for user test1234: 6 (Permission denied) Jul 28 14:54:12 ldap01 sshd[26892]: Failed password for test1234 from 54.215.207.210 port 49171 ssh2
Jul 28 14:54:16 ldap01  sshd[26893]: Connection closed by 54.215.207.210


Thanks!


------ Original Message ------
From: "Jakub Hrozek" <[email protected]>
To: [email protected]
Sent: 7/28/2014 2:25:23 PM
Subject: Re: [SSSD] Trying to ssh with sssd/pam configuration

On Mon, Jul 28, 2014 at 05:32:40PM +0000, Sterling Sahaydak wrote:
 Running CentOS 6.5 sssd 1.9.2 in a test environment and trying to
 authenticate user: testjoe to ssh to server ldap01.something.net
running openldap on ldap01.something.net and trying to authenticate to it.


 [root@testmachine sssd]# cat sssd.conf
 [domain/default]
 ldap_id_use_start_tls = True
 cache_credentials = True
 ldap_search_base = dc=something,dc=net
 id_provider = ldap
 auth_provider = ldap
 chpass_provider = ldap
 ldap_uri = ldaps://ldap01.something.net
 ldap_tls_cacertdir = /etc/openldap/certs

 [sssd]
 config_file_version = 2
 services = nss, pam, sudo
 domains = default, LDAP

 [nss]
 filter_users = root
 filter_groups = root

 [pam]

Can you also inlude debugging from the pam responder?


 [sudo]

 [domain/LDAP]
 access_provider = ldap
 auth_provider = ldap
 chpass_provider = ldap
 id_provider = ldap
 sudo_provider = ldap
 debug_level = 7
 cache_credentials = true
 enumerate = true

I would suggest to not use enumerate=true unless some legacy application
needs that.


 ldap_access_filter = cn=allowedusers,ou=Groups,dc=something,dc=net
 ldap_search_base = dc=something,dc=net
 ldap_sudo_search_base = ou=sudoers,dc=something,dc=net
 ldap_tls_cacert = /etc/openldap/certs/cacert.pem
 ldap_tls_reqcert = allow
 ldap_uri = ldaps://ldap01.something.net

Why do you have two domains defined with the same server but access
control defined only in the first one.




 [root@testmachine pam.d]# cat password-auth

[...]

The PAM config looks OK to me, although you might want to re-run
    # authconfig --enablesssdauth --enablesssd --update
to make sure.

Did you include 'sss' to /etc/nsswitch.conf?

Are the LDAP users resolvable with getent passwd $username?

What does /var/log/secure say when you attempt to authenticate?





 (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [fo_resolve_service_send]
 (0x0100): Trying to resolve service 'LDAP'

[...]

This log doesn't contain an authentication attempt, only enumerating
users, groups, services and sudo rules.
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to