On Wed, Mar 16, 2016 at 10:52:22PM -0400, Cyril Scetbon wrote: > Any other idea ? Here is the information I can provide you : > > # /etc/nsswitch.conf > > passwd: compat sss ldap > group: compat sss ldap > shadow: compat ldap > > hosts: files mdns4_minimal [NOTFOUND=return] dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis sss > sudoers: files sss > > my pam file > > # here are the per-package modules (the "Primary" block) > auth [success=1 default=ignore] pam_sss.so > # here's the fallback if no module succeeds > auth requisite pam_deny.so > # prime the stack with a positive return value if there isn't one already; > # this avoids us returning an error just because nothing sets a success code > # since the modules above will each just jump around > auth required pam_permit.so > > /etc/sssd/sssd.conf > > [domain/default] > debug_level=0xFFF0 > autofs_provider = ldap > ldap_default_bind_dn = uid=myuid,ou=Auth,dc=mydc1,dc=mydc2 > ldap_default_authtok_type = password > ldap_default_authtok = mysecret > ldap_schema = rfc2307bis > krb5_realm = # > ldap_search_base = dc=mydc1,dc=mydc2 > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > ldap_uri = ldaps://myldap > ldap_id_use_start_tls = True > cache_credentials = True > ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt > ldap_tls_reqcert=demand > [sssd] > services = nss, pam, autofs > config_file_version = 2 > > domains = default > [pam] > > [nss] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > As said earlier, I tried with those 2 commands to simulate the lost of the > ldap server : > > iptables -A OUTPUT -p tcp --dport 636 -j REJECT > iptables -A OUTPUT -p tcp --dport 636 -j DROP
Is it possible to see full logs from all responders? By the way I suspect the reason Lukas asked about TLS vs LDAPs is https://fedorahosted.org/sssd/ticket/2878 (I know this doesn't help your problem, but I use cached credentials on my laptop as the only authentication source, so I know they work OK..) _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
