Am Wed, Dec 07, 2022 at 02:10:23AM -0600 schrieb Jarett DeAngelis: > Hi Sumit, > > Thank you! You made me realize I never updated PAM using authconfig. `sudo > authconfig --enablesssdauth --enablesssd --updateall --enablemkhomedir` took > care of it. > > Do you have any insights as to what is going on with the newer (Ubuntu 22.04) > machine's attempts to authenticate? SSSD logs are pretty clear that there is > an "unknown error" with TLS communication despite the OpenLDAP server > appearing to communicate normally -- OpenSSL 3.0 freezes, basically, while > trying to connect, as seen here: > > (2022-12-07 7:17:24): [be[default]] [check_if_online_delayed] (0x2000): > [RID#1010] Trying to go back online! > (2022-12-07 7:17:24): [be[default]] [fo_reset_services] (0x1000): [RID#1010] > Resetting all servers in all services > (2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): > [RID#1010] Marking server '10.8.8.60' as 'name not resolved' > (2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0100): > [RID#1010] Marking port 636 of server '10.8.8.60' as 'neutral' > (2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0400): > [RID#1010] Marking port 636 of duplicate server '10.8.8.60' as 'neutral' > (2022-12-07 7:17:24): [be[default]] [dp_attach_req] (0x0400): [RID#1011] DP > Request [Online Check #1011]: REQ_TRACE: New request. Flags [0000]. > (2022-12-07 7:17:24): [be[default]] [dp_attach_req] (0x0400): [RID#1011] > Number of active DP request: 1 > (2022-12-07 7:17:24): [be[default]] [fo_resolve_service_send] (0x0100): > [RID#1011] Trying to resolve service 'LDAP' > (2022-12-07 7:17:24): [be[default]] [get_server_status] (0x1000): [RID#1011] > Status of server '10.8.8.60' is 'name not resolved' > (2022-12-07 7:17:24): [be[default]] [get_port_status] (0x1000): [RID#1011] > Port status of port 636 for server '10.8.8.60' is 'neutral' > (2022-12-07 7:17:24): [be[default]] [fo_resolve_service_activate_timeout] > (0x2000): [RID#1011] Resolve timeout [dns_resolver_timeout] set to 6 seconds > (2022-12-07 7:17:24): [be[default]] [get_server_status] (0x1000): [RID#1011] > Status of server '10.8.8.60' is 'name not resolved' > (2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): > [RID#1011] Marking server '10.8.8.60' as 'resolving name' > (2022-12-07 7:17:24): [be[default]] [check_if_online_delayed] (0x2000): > [RID#1010] Check online req created. > (2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): > [RID#1011] Marking server '10.8.8.60' as 'name resolved' > (2022-12-07 7:17:24): [be[default]] [be_resolve_server_process] (0x1000): > [RID#1011] Saving the first resolved server > (2022-12-07 7:17:24): [be[default]] [be_resolve_server_process] (0x0200): > [RID#1011] Found address for server 10.8.8.60: [10.8.8.60] TTL 7200 > (2022-12-07 7:17:24): [be[default]] [sdap_uri_callback] (0x0400): [RID#1011] > Constructed uri 'ldaps://10.8.8.60:636' > (2022-12-07 7:17:24): [be[default]] [sssd_async_socket_init_send] (0x4000): > [RID#1011] Using file descriptor [21] for the connection. > (2022-12-07 7:17:24): [be[default]] [sssd_async_socket_init_send] (0x0400): > [RID#1011] Setting 60 seconds timeout [ldap_network_timeout] for connecting > (2022-12-07 7:17:24): [be[default]] [sss_ldap_init_sys_connect_done] > (0x0020): [RID#1011] ldap_install_tls failed: [Connect error] [unknown error] > (2022-12-07 7:17:24): [be[default]] [sss_ldap_init_state_destructor] > (0x0400): [RID#1011] calling ldap_unbind_ext for ldap:[0x560819ad2470] sd:[21] > (2022-12-07 7:17:24): [be[default]] [sss_ldap_init_state_destructor] > (0x0400): [RID#1011] closing socket [21] > (2022-12-07 7:17:24): [be[default]] [sdap_sys_connect_done] (0x0020): > [RID#1011] sdap_async_connect_call request failed: [5]: Input/output error. > (2022-12-07 7:17:24): [be[default]] [sdap_handle_release] (0x2000): > [RID#1011] Trace: sh[0x560819af04f0], connected[0], ops[(nil)], ldap[(nil)], > destructor_lock[0], release_memory[0] > (2022-12-07 7:17:24): [be[default]] [_be_fo_set_port_status] (0x8000): > [RID#1011] Setting status: PORT_NOT_WORKING. Called from: > ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_done: 1633 > (2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0100): > [RID#1011] Marking port 636 of server '10.8.8.60' as 'not working' > > If you look at it with `openssl s_client`, it freezes right here:
Hi, I think your 'openssl s_client' output looks ok. I would assume that you are not only using a newer version of OpenSSL but a newer version of OpenLDAP as well which might be more picky when it comes to TLS and certificates. First I would suggest to not use the IP address of the LDAP server in sssd.conf but the fully qualified name ldapserver00.clab.lab, the one from the CN of your certificate. If this does not help, please add 'ldap_library_debug_level = -1' to the [domain/...] section of sssd.conf to get the full OpenLDAP debug output which might help to better understand what is missing. Additionally you can check if the new option TLS_REQSAN is set in ldap.conf on the client to 'demand' or 'hard' which would make the client require a SAN (subject alternative name) in the certificate which yours does not have. HTH bye, Sumit > > root@ldapclient:/home/sysop# openssl s_client -connect 10.8.8.60:636 > CONNECTED(00000003) > Can't use SSL_get_servername > depth=1 CN = CompanyInternal > verify return:1 > depth=0 O = CompanyInternal, CN = ldapserver00.clab.lab > verify return:1 > --- > Certificate chain > 0 s:O = CompanyInternal, CN = ldapserver00.clab.lab > i:CN = CompanyInternal > a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384 > v:NotBefore: Nov 1 22:06:32 2022 GMT; NotAfter: Oct 29 22:06:32 2032 GMT > 1 s:CN = CompanyInternal > i:CN = CompanyInternal > a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384 > v:NotBefore: Nov 1 22:04:14 2022 GMT; NotAfter: Oct 29 22:04:14 2032 GMT > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIERzCCAi+gAwIBAgIUN7zSoFEoRKwSie9d3DoobHH60x4wDQYJKoZIhvcNAQEM > BQAwEjEQMA4GA1UEAxMHQmlvVGVhbTAeFw0yMjExMDEyMjA2MzJaFw0zMjEwMjky > MjA2MzJaMDIxEDAOBgNVBAoTB0Jpb1RlYW0xHjAcBgNVBAMTFWxkYXBzZXJ2ZXIw > MC5jbGFiLmxhYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKBtDPgT > e8wr/sxg+oUiMDvyuROnxEMDvF8LRwhQianBxqQuwuZulvVLXBgWyVRyNjInUDXU > q1Hbf2JVXVkMufO/VjRIlF4lRPC/sgu1srxUdRvddBEO9t8inAMlJ0dvGOaZBwS7 > fKK3+YeIRSleRbXS6ta2shvwxrDTWhiEPL4dgdeD+7J9ll4cbbuHW0YZJvlRJ9xD > VHy70qcZn6ZyDXQt83Mbf78RLioK78S0dKW6eOACKHHSexIGcP8bZOX43XTZJHME > Y7jFSBaMVF+pa0eRj6pTA6U2sFg4puWC1Xkt++1Wpnq9YdB9CqOII3UvdlPVoOHH > oGQ6CmDmIR908kUCAwEAAaN1MHMwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggr > BgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0OBBYEFHKk9dZu3nxATWKqJlXK > 0ekuoRfkMB8GA1UdIwQYMBaAFCTD8jhauoaHVQBgCHanPoW83kRxMA0GCSqGSIb3 > DQEBDAUAA4ICAQCUA72TzDR5evZpTbZAoxZ4O3Xr+gKphB7HHQ4BNZ+zW/AV/rEW > DLTnm3XQ+KPp/1jb1uSsKGqLqQ462rzzYQ5SU98/GxZM8xRxWyTq+wjLFcaUZ93V > HVSm38Y77aK+uhw2qpiMeiKzW/M4UwUYQM4trKMSzBiQz46UPKkzihL5JR/TCcKj > LrT+OhYcbIDfdnf0+jvB75eiWiQXrsX1B0VRVnFR4FqJSH8kD71OLWno9UlTpmWB > xkDrWTW5xJAb+lJT12PRRg8cMRg/GtQSIo8PAPdrm/D6aBQsRtGm8KvIleBgo5FR > htlMVzNyfq35ck8WhjyMQBwegJEbMBDSpYootdNrs5sOtv+CA6qDH6CsatYKr/ke > bu3s167q0x/RAAROcdA6+7eMyrrVyZjv4tqPzfYdLvOg6o7m3kBy1BL56flbd+je > wX4RJvNoQKGrZxKRsfKgS7cJCo3QEoV/RbOzTof3QZ4G+lLE15lI9v9Ad6aaX+Gt > oLHAqxIE1Wld/fmBTBgLL9K5NFfvfINczNLJw/+X3f6e6IjQgT743oJZ4BaNyGn6 > 3YT5EgDAz5hgM4BhOMovUBVgcFsUdZkH3dHrX9OrdgmP737IXlp7tuo8/J0DMPgr > e2I0qGBqCu03PBYl8G4iwF/7UKFy6cyB1srefQPoVQ0//iPQIB5p6LOhUQ== > -----END CERTIFICATE----- > subject=O = CompanyInternal, CN = ldapserver00.clab.lab > issuer=CN = CompanyInternal > --- > No client certificate CA names sent > Peer signing digest: SHA256 > Peer signature type: RSA-PSS > Server Temp Key: X25519, 253 bits > --- > SSL handshake has read 2932 bytes and written 373 bytes > Verification: OK > --- > New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 > Server public key is 2048 bit > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > --- > --- > Post-Handshake New Session Ticket arrived: > SSL-Session: > Protocol : TLSv1.3 > Cipher : TLS_AES_256_GCM_SHA384 > Session-ID: > 21BBA066E20DCEE0C99DA1EF0EA17A9F474DCB10993529D776A053A32EEDB728 > Session-ID-ctx: > Resumption PSK: > 6AC936C1645C80A5DDE93B179632FE59A4AEB15D3E3876B4385C01F769087C6D409E818BE582E550B3261CEED468423B > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 7200 (seconds) > TLS session ticket: > 0000 - 60 81 05 60 76 ea 36 36-e4 97 99 63 43 38 8a 2b `..`v.66...cC8.+ > 0010 - 24 95 56 e5 af 76 a6 d2-60 82 fa d4 72 91 53 b5 $.V..v..`...r.S. > 0020 - 4e fc 0d 13 b8 52 97 2a-40 13 83 7d cf 3f 51 aa N....R.*@..}.?Q. > 0030 - 96 f5 76 ca 14 c1 e7 e4-1d b7 39 53 d9 ee 19 89 ..v.......9S.... > 0040 - fd eb e0 d9 9f 8d 33 3b-97 cd 1d 0d 8c a4 f4 f4 ......3;........ > 0050 - 6f ab c2 49 59 b4 1c 67-78 b9 4c 93 03 2d 5c ff o..IY..gx.L..-\. > 0060 - a9 19 c8 36 a8 23 1b 3c-45 5e 6e 69 f7 8c c4 bb ...6.#.<E^ni.... > 0070 - d9 d2 a9 86 92 f0 98 94-68 aa eb f2 18 ab ef 59 ........h......Y > 0080 - 55 96 43 ad 64 06 26 93-c1 41 8c 2b ce db bb fa U.C.d.&..A.+.... > 0090 - 9d 9f b3 71 fe cc ec d1-f5 e0 02 a8 70 b9 10 3c ...q........p..< > 00a0 - 42 32 60 d4 ac 94 ce 76-89 3a 0e 6c 95 43 22 e4 B2`....v.:.l.C". > 00b0 - 89 a4 11 a9 24 a3 9a b4-3e 85 ee bb 1f 07 2f e0 ....$...>...../. > 00c0 - bf 45 a2 2e 78 a4 51 9f-34 0e e4 87 a8 b4 c3 2a .E..x.Q.4......* > > Start Time: 1670399902 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > Max Early Data: 0 > --- > read R BLOCK > --- > Post-Handshake New Session Ticket arrived: > SSL-Session: > Protocol : TLSv1.3 > Cipher : TLS_AES_256_GCM_SHA384 > Session-ID: > BBCD67A75D02D4E8A29FC1BC72AF66A58F589AABA8DCF321B809AEDC2F1100EE > Session-ID-ctx: > Resumption PSK: > 2B9BBE1D73BEA62DBB0CDAFE6D25B09FB69F9D53DB02645AA889674CA7D28FF66C8D025F5ECE2015EE228AB9C1A178E9 > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 7200 (seconds) > TLS session ticket: > 0000 - 60 81 05 60 76 ea 36 36-e4 97 99 63 43 38 8a 2b `..`v.66...cC8.+ > 0010 - 82 ee b5 24 8c 46 a1 ce-81 14 07 fa 50 57 67 78 ...$.F......PWgx > 0020 - da 6a b0 d8 df 43 d8 fd-74 67 13 61 37 36 e5 ab .j...C..tg.a76.. > 0030 - cd 3d 32 95 95 55 a0 47-f1 d8 4a 7c 27 aa 64 7d .=2..U.G..J|'.d} > 0040 - 26 0d 60 8e 29 9c a9 40-6d 6f 59 c1 ab 6a e3 d4 &.`.)[email protected].. > 0050 - cb cb 96 05 51 46 48 f8-6b 67 53 10 47 30 36 24 ....QFH.kgS.G06$ > 0060 - f4 ea 62 f7 ac dc 64 b9-10 4e 62 17 75 3a 55 c9 ..b...d..Nb.u:U. > 0070 - 73 98 41 c6 68 6e ee b9-62 e5 19 71 a1 df 05 62 s.A.hn..b..q...b > 0080 - 7d 1a 30 dc 46 77 b3 c6-5b b6 fa 4f 2f 34 31 fa }.0.Fw..[..O/41. > 0090 - bf 1e 9e 26 b8 ff 95 d3-69 7b de c3 91 34 06 6a ...&....i{...4.j > 00a0 - 9e 2c ee 36 08 9f db 1f-28 44 ef 21 07 74 a8 9b .,.6....(D.!.t.. > 00b0 - bd 55 f6 8b cb 11 bb 5f-7f 71 ba eb 15 1e 1e 70 .U....._.q.....p > 00c0 - 36 3e 9d ce 42 2c 60 6d-d0 7f de 60 4a a9 80 da 6>..B,`m...`J... > > Start Time: 1670399902 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > Max Early Data: 0 > --- > read R BLOCK > > ^-- it stops there. I understand hanging and waiting for further > communication is normal behavior , but I don't think this is where it's > supposed to stop. > > Obviously, CentOS 7 with its older version of SSL has no trouble connecting. > One difference is that on CentOS 7 it says "Secure Renegotiation IS > supported." > > TIA for any help. > > Thanks, > Jarett > > > On Dec 7, 2022, at 12:50 AM, Sumit Bose <[email protected]> wrote: > > > > Am Tue, Dec 06, 2022 at 05:14:34PM -0600 schrieb Jarett DeAngelis: > >> Hi, > >> > >> I am trying to get SSSD to authenticate against an OpenLDAP directory. I > >> have "debug_level" turned up to 10 but have not been able to figure out > >> what the problem is based on the log. > >> > >> On an Ubuntu 22.04 system I have found that something with TLS is broken > >> when it tries to connect to OpenLDAP, which is why it has failed on that > >> system -- I think this is related to the OS moving to OpenSSL 3 but have > >> not been able to figure out how to fix it. > >> > >> On this CentOS 7 system, you can see that it can find the user, can get > >> properties from the user, but still fails the user login without, as far > >> as I can tell, explaining why. > >> > >> I have pasted our sssd.conf below, and here is a link to my Nextcloud > >> instance where I am hosting the relevant portion of the log (it was too > >> big for me to be able to paste it into Pastebin): > >> https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD > >> <https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD><https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD > >> <https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD>> > > > > Hi, > > > > there is no authentication attempt covered in the log file. Are you sure > > pam_sss.so is included in your PAM configuration and called for the > > specific user? > > > > bye, > > Sumit > > > >> > >> Hoping someone can help us get to the bottom of this. > >> > >> Thanks. > >> > >> Here is our sssd.conf: > >> > >> [sssd] > >> services = nss, pam > >> config_file_version = 2 > >> domains = default > >> certificate_verification = no_verification > >> > >> [nss] > >> > >> [pam] > >> offline_credentials_expiration = 60 > >> > >> [domain/default] > >> debug_level = 10 > >> ldap_id_use_start_tls = False > >> cache_credentials = True > >> ldap_search_base = ou=users,dc=clab,dc=lab > >> id_provider = ldap > >> auth_provider = ldap > >> chpass_provider = ldap > >> access_provider = ldap > >> ldap_uri = ldaps://10.8.8.60:636 > >> ldap_default_bind_dn = cn=admin,dc=clab,dc=lab > >> ldap_default_authtok = definitelyverysecurepassword > >> ldap_tls_reqcert = allow > >> ldap_tls_cacert = /usr/local/share/ca-certificates/mycacert.crt > >> ldap_tls_cacertdir = /usr/local/share/ca-certificates > >> ldap_tls_cert = /etc/ldap/ldapserver00_slapd_cert.pem > >> certificate_verification = no_verification > >> ldap_search_timeout = 50 > >> ldap_network_timeout = 60 > >> ldap_access_order = filter > >> ldap_access_filter = (objectClass=posixAccount) > >> override_homedir = /home/%U > >> override_shell = /bin/bash > >> ldap_user_name = uid > >> auto_private_groups = true > >> sudo_provider = none > >> ldap_account_expire_policy = nds > >> ldap_passwd_policy = shadow > > > >> _______________________________________________ > >> sssd-users mailing list -- [email protected] > >> <mailto:[email protected]> > >> To unsubscribe send an email to [email protected] > >> <mailto:[email protected]> > >> Fedora Code of Conduct: > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> > >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> <https://fedoraproject.org/wiki/Mailing_list_guidelines> > >> List Archives: > >> https://lists.fedorahosted.org/archives/list/[email protected] > >> > >> <https://lists.fedorahosted.org/archives/list/[email protected]> > >> Do not reply to spam, report it: > >> https://pagure.io/fedora-infrastructure/new_issue > >> <https://pagure.io/fedora-infrastructure/new_issue> > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > <mailto:[email protected]> > > To unsubscribe send an email to [email protected] > > <mailto:[email protected]> > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > <https://fedoraproject.org/wiki/Mailing_list_guidelines> > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > <https://lists.fedorahosted.org/archives/list/[email protected]> > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > <https://pagure.io/fedora-infrastructure/new_issue> > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
