I have two Debian systems, and using pam_sss_gss.so for sudo works fine on one of them, but not the other.
Both have SSSD 2.4.1 installed and are joined to FreeIPA domains.On the system where it works, the user is defined in the FreeIPA domain. On the system where it doesn't work, my user is an AD trust user. Here's what I get from sssd_pam.log: (2021-04-01 10:54:52): [pam] [server_common_rotate_logs] (0x0010): Debug level changed to 0x07f0 (2021-04-01 10:54:52): [pam] [sbus_issue_request_done] (0x0400): sssd.service.rotateLogs: Success (2021-04-01 10:55:00): [pam] [accept_fd_handler] (0x0400): Client [0x55b162023b40][19] connected to privileged pipe! (2021-04-01 10:55:00): [pam] [sss_cmd_get_version] (0x0200): Received client version [3]. (2021-04-01 10:55:00): [pam] [sss_cmd_get_version] (0x0200): Offered version [3]. (2021-04-01 10:55:00): [pam] [cache_req_send] (0x0400): CR #6: New request 'User by name' (2021-04-01 10:55:00): [pam] [cache_req_process_input] (0x0400): CR #6: Parsing input name [[email protected]] (2021-04-01 10:55:00): [pam] [sss_parse_name_for_domains] (0x0200): name '[email protected]' matched expression for domain 'example.net', user is sam.morris (2021-04-01 10:55:00): [pam] [cache_req_set_name] (0x0400): CR #6: Setting name [sam.morris] (2021-04-01 10:55:00): [pam] [cache_req_select_domains] (0x0400): CR #6: Performing a single domain search (2021-04-01 10:55:00): [pam] [cache_req_search_domains] (0x0400): CR #6: Search will check the cache and check the data provider (2021-04-01 10:55:00): [pam] [cache_req_set_domain] (0x0400): CR #6: Using domain [example.net] (2021-04-01 10:55:00): [pam] [cache_req_prepare_domain_data] (0x0400): CR #6: Preparing input data for domain [example.net] rules (2021-04-01 10:55:00): [pam] [cache_req_search_send] (0x0400): CR #6: Looking up [email protected] (2021-04-01 10:55:00): [pam] [cache_req_search_ncache] (0x0400): CR #6: Checking negative cache for [[email protected]] (2021-04-01 10:55:00): [pam] [cache_req_search_ncache] (0x0400): CR #6: [[email protected]] is not present in negative cache (2021-04-01 10:55:00): [pam] [cache_req_search_cache] (0x0400): CR #6: Looking up [[email protected]] in cache (2021-04-01 10:55:00): [pam] [cache_req_search_send] (0x0400): CR #6: Returning [[email protected]] from cache (2021-04-01 10:55:00): [pam] [cache_req_search_ncache_filter] (0x0400): CR #6: This request type does not support filtering result by negative cache (2021-04-01 10:55:00): [pam] [cache_req_create_and_add_result] (0x0400): CR #6: Found 1 entries in domain example.net (2021-04-01 10:55:00): [pam] [cache_req_done] (0x0400): CR #6: Finished: Success (2021-04-01 10:55:00): [pam] [pam_cmd_gssapi_init_done] (0x0400): Trying GSSAPI auth: User[[email protected]], Domain[example.net], UPN[[email protected]], Target[[email protected]] (2021-04-01 10:55:00): [pam] [pam_cmd_gssapi_init_done] (0x0400): Returning [0]: Success (2021-04-01 10:55:00): [pam] [client_recv] (0x0400): Invalid data from client, closing connection! (2021-04-01 10:55:00): [pam] [accept_fd_handler] (0x0400): Client [0x55b162039780][19] connected to privileged pipe! (2021-04-01 10:55:00): [pam] [sss_cmd_get_version] (0x0200): Received client version [3]. (2021-04-01 10:55:00): [pam] [sss_cmd_get_version] (0x0200): Offered version [3]. (2021-04-01 10:55:00): [pam] [client_recv] (0x0400): Invalid data from client, closing connection! There's nothing particularly special about the PAM & SSSD setup; /etc/pam.d/sudo starts with "auto sufficient pam_sss_gss.so", and sssd.conf in the [pam] sectiion has "pam_gssapi_services = sudo". I can use strace to see exactly what data is being received by sssd_pam from pam_sss_gss.so but I don't know what sensitive data might be within so I don't want to post it here. I can provide it privately if it would help. -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
