Hey Jakub, So I think I've provided you all the log files I could. The last version (first a connection with the reachable ldap, and then without) can be found at : http://pastebin.com/B3JnMr65
The other logs are empty : # ls -lrt /var/log/sssd/ total 304 -rw------- 1 root root 0 Mar 17 19:16 sssd_pam.log -rw------- 1 root root 0 Mar 17 19:16 sssd_nss.log -rw------- 1 root root 0 Mar 17 19:16 sssd_autofs.log -rw------- 1 root root 0 Mar 17 19:16 sssd.log -rw------- 1 root root 0 Mar 17 19:16 ldap_child.log -rw------- 1 root root 306912 Mar 17 19:17 sssd_default.log However I found other logs : Mar 17 19:22:26 cscetbon-vdi mysqld: pam_sss(serverdb:auth): authentication success; logname= uid=64259 euid=64259 tty= ruser= rhost= user=myuser <==== ldap accessible Mar 17 19:22:49 cscetbon-vdi mysqld: pam_sss(serverdb:auth): authentication success; logname= uid=64259 euid=64259 tty= ruser= rhost= user= myuser <== no ldap Mar 17 19:22:54 cscetbon-vdi mysqld: nss_ldap: could not search LDAP server - Server is unavailable Mar 17 19:22:55 cscetbon-vdi unix_chkpwd: nss_ldap: could not connect to any LDAP server as uid=pamldap,ou=Auth,dc=fti,dc=net - Can't contact LDAP server Mar 17 19:22:55 cscetbon-vdi unix_chkpwd: nss_ldap: failed to bind to LDAP server ldaps://ldap.multis/: Can't contact LDAP server Mar 17 19:22:55 cscetbon-vdi unix_chkpwd: nss_ldap: could not search LDAP server - Server is unavailable Mar 17 19:22:55 cscetbon-vdi unix_chkpwd[3173]: could not obtain user info (myuser) Mar 17 19:25:01 cscetbon-vdi CRON[3652]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 17 19:25:01 cscetbon-vdi CRON[3652]: pam_unix(cron:session): session closed for user root I'm wondering if another pam file is not included even if I thought it's not because of this unix_chkpwd issue > On Mar 17, 2016, at 13:13, Jakub Hrozek <[email protected]> wrote: > > On Wed, Mar 16, 2016 at 10:52:22PM -0400, Cyril Scetbon wrote: >> Any other idea ? Here is the information I can provide you : >> >> # /etc/nsswitch.conf >> >> passwd: compat sss ldap >> group: compat sss ldap >> shadow: compat ldap >> >> hosts: files mdns4_minimal [NOTFOUND=return] dns >> networks: files >> >> protocols: db files >> services: db files >> ethers: db files >> rpc: db files >> >> netgroup: nis sss >> sudoers: files sss >> >> my pam file >> >> # here are the per-package modules (the "Primary" block) >> auth [success=1 default=ignore] pam_sss.so >> # here's the fallback if no module succeeds >> auth requisite pam_deny.so >> # prime the stack with a positive return value if there isn't one already; >> # this avoids us returning an error just because nothing sets a success code >> # since the modules above will each just jump around >> auth required pam_permit.so >> >> /etc/sssd/sssd.conf >> >> [domain/default] >> debug_level=0xFFF0 >> autofs_provider = ldap >> ldap_default_bind_dn = uid=myuid,ou=Auth,dc=mydc1,dc=mydc2 >> ldap_default_authtok_type = password >> ldap_default_authtok = mysecret >> ldap_schema = rfc2307bis >> krb5_realm = # >> ldap_search_base = dc=mydc1,dc=mydc2 >> id_provider = ldap >> auth_provider = ldap >> chpass_provider = ldap >> ldap_uri = ldaps://myldap >> ldap_id_use_start_tls = True >> cache_credentials = True >> ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt >> ldap_tls_reqcert=demand >> [sssd] >> services = nss, pam, autofs >> config_file_version = 2 >> >> domains = default >> [pam] >> >> [nss] >> >> [sudo] >> >> [autofs] >> >> [ssh] >> >> [pac] >> >> As said earlier, I tried with those 2 commands to simulate the lost of the >> ldap server : >> >> iptables -A OUTPUT -p tcp --dport 636 -j REJECT >> iptables -A OUTPUT -p tcp --dport 636 -j DROP > > Is it possible to see full logs from all responders? > > By the way I suspect the reason Lukas asked about TLS vs LDAPs is > https://fedorahosted.org/sssd/ticket/2878 > <https://fedorahosted.org/sssd/ticket/2878> > > (I know this doesn't help your problem, but I use cached credentials on > my laptop as the only authentication source, so I know they work OK..) > _______________________________________________ > sssd-users mailing list > [email protected] <mailto:[email protected]> > https://lists.fedorahosted.org/admin/lists/[email protected] > <https://lists.fedorahosted.org/admin/lists/[email protected]>
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
