Dear list, I am using SSSD 2.6.2 on CentOS Stream 8 to authenticate against a 389 directory server over LDAP. Both `getent` and `id` are working, as is key-based SSH. Anything requiring a password doesn't work: like ssh and sudo. The 389 directory server is running on CentOS 7 and other CentOS 7 clients can authenticate and sudo just fine (they were set up with authconfig).
Here is an excerpt from /var/log/secure while trying to SSH with a password and sudo after logging in with an SSH key: May 19 14:49:16 server05 sshd[79520]: Connection from x.x.x.x port 58272 on x.x.x.x port 22 May 19 14:49:19 server05 sshd[79520]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=myuser May 19 14:49:21 server05 sshd[79520]: Failed password for myuser from x.x.x.x port 58272 ssh2 May 19 14:53:00 server05 sudo[122435]: pam_unix(sudo:auth): authentication failure; logname=myuser uid=751 euid=0 tty=/dev/pts/4 ruser=myuser rhost= user=myuser May 19 14:53:05 server05 sudo[122435]: pam_unix(sudo:auth): conversation failed May 19 14:53:05 server05 sudo[122435]: pam_unix(sudo:auth): auth could not identify password for [myuser] May 19 14:53:07 server05 sudo[122435]: myuser : 1 incorrect password attempt ; TTY=pts/4 ; PWD=/home/myuser ; USER=root ; COMMAND=/bin/su - I have followed the SSSD troubleshooting guide¹ and it seems there is something wrong with pam_sss, but I can't figure it out. I used `authselect select sssd` to configure PAM and have not modified any settings. The configuration seems to be valid: # authselect check Current configuration is valid. And here is the auth part of the PAM system-auth stack: # grep '^auth' /etc/pam.d/system-auth auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so Enabling `debug_level = 6` for sssd, domain/default, nss, and pam has not helped me find anything out of place. Does anyone have an idea of what to look for in the logs, or what else I can try? Thank you, ¹ https://sssd.io/troubleshooting/basics.html -- Alan Orth [email protected] https://picturingjordan.com https://englishbulgaria.net https://mjanja.ch
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
