Off the top, the LDAP server can not resolve in DNS, so it's setting the LDAP server name to the IP, the IP is not in your cert as a SAN that I can see.
> On 12/07/2022 12:10 AM Jarett DeAngelis <[email protected]> wrote: > > > Hi Sumit, > > Thank you! You made me realize I never updated PAM using authconfig. > `sudo authconfig --enablesssdauth --enablesssd --updateall --enablemkhomedir` > took care of it. > > Do you have any insights as to what is going on with the newer (Ubuntu > 22.04) machine's attempts to authenticate? SSSD logs are pretty clear that > there is an "unknown error" with TLS communication despite the OpenLDAP > server appearing to communicate normally -- OpenSSL 3.0 freezes, basically, > while trying to connect, as seen here: > > (2022-12-07 7:17:24): [be[default]] [check_if_online_delayed] (0x2000): > [RID#1010] Trying to go back online! > (2022-12-07 7:17:24): [be[default]] [fo_reset_services] (0x1000): > [RID#1010] Resetting all servers in all services > (2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): > [RID#1010] Marking server '10.8.8.60' as 'name not resolved' > (2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0100): > [RID#1010] Marking port 636 of server '10.8.8.60' as 'neutral' > (2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0400): > [RID#1010] Marking port 636 of duplicate server '10.8.8.60' as 'neutral' > (2022-12-07 7:17:24): [be[default]] [dp_attach_req] (0x0400): [RID#1011] > DP Request [Online Check #1011]: REQ_TRACE: New request. Flags [0000]. > (2022-12-07 7:17:24): [be[default]] [dp_attach_req] (0x0400): [RID#1011] > Number of active DP request: 1 > (2022-12-07 7:17:24): [be[default]] [fo_resolve_service_send] (0x0100): > [RID#1011] Trying to resolve service 'LDAP' > (2022-12-07 7:17:24): [be[default]] [get_server_status] (0x1000): > [RID#1011] Status of server '10.8.8.60' is 'name not resolved' > (2022-12-07 7:17:24): [be[default]] [get_port_status] (0x1000): > [RID#1011] Port status of port 636 for server '10.8.8.60' is 'neutral' > (2022-12-07 7:17:24): [be[default]] > [fo_resolve_service_activate_timeout] (0x2000): [RID#1011] Resolve timeout > [dns_resolver_timeout] set to 6 seconds > (2022-12-07 7:17:24): [be[default]] [get_server_status] (0x1000): > [RID#1011] Status of server '10.8.8.60' is 'name not resolved' > (2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): > [RID#1011] Marking server '10.8.8.60' as 'resolving name' > (2022-12-07 7:17:24): [be[default]] [check_if_online_delayed] (0x2000): > [RID#1010] Check online req created. > (2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): > [RID#1011] Marking server '10.8.8.60' as 'name resolved' > (2022-12-07 7:17:24): [be[default]] [be_resolve_server_process] > (0x1000): [RID#1011] Saving the first resolved server > (2022-12-07 7:17:24): [be[default]] [be_resolve_server_process] > (0x0200): [RID#1011] Found address for server 10.8.8.60: [10.8.8.60] TTL 7200 > (2022-12-07 7:17:24): [be[default]] [sdap_uri_callback] (0x0400): > [RID#1011] Constructed uri 'ldaps://10.8.8.60:636' > (2022-12-07 7:17:24): [be[default]] [sssd_async_socket_init_send] > (0x4000): [RID#1011] Using file descriptor [21] for the connection. > (2022-12-07 7:17:24): [be[default]] [sssd_async_socket_init_send] > (0x0400): [RID#1011] Setting 60 seconds timeout [ldap_network_timeout] for > connecting > (2022-12-07 7:17:24): [be[default]] [sss_ldap_init_sys_connect_done] > (0x0020): [RID#1011] ldap_install_tls failed: [Connect error] [unknown error] > (2022-12-07 7:17:24): [be[default]] [sss_ldap_init_state_destructor] > (0x0400): [RID#1011] calling ldap_unbind_ext for ldap:[0x560819ad2470] sd:[21] > (2022-12-07 7:17:24): [be[default]] [sss_ldap_init_state_destructor] > (0x0400): [RID#1011] closing socket [21] > (2022-12-07 7:17:24): [be[default]] [sdap_sys_connect_done] (0x0020): > [RID#1011] sdap_async_connect_call request failed: [5]: Input/output error. > (2022-12-07 7:17:24): [be[default]] [sdap_handle_release] (0x2000): > [RID#1011] Trace: sh[0x560819af04f0], connected[0], ops[(nil)], ldap[(nil)], > destructor_lock[0], release_memory[0] > (2022-12-07 7:17:24): [be[default]] [_be_fo_set_port_status] (0x8000): > [RID#1011] Setting status: PORT_NOT_WORKING. Called from: > ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_done: 1633 > (2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0100): > [RID#1011] Marking port 636 of server '10.8.8.60' as 'not working' > > If you look at it with `openssl s_client`, it freezes right here: > > root@ldapclient:/home/sysop# openssl s_client -connect 10.8.8.60:636 > CONNECTED(00000003) > Can't use SSL_get_servername > depth=1 CN = CompanyInternal > verify return:1 > depth=0 O = CompanyInternal, CN = ldapserver00.clab.lab > verify return:1 > --- > Certificate chain > 0 s:O = CompanyInternal, CN = ldapserver00.clab.lab > i:CN = CompanyInternal > a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384 > v:NotBefore: Nov 1 22:06:32 2022 GMT; NotAfter: Oct 29 22:06:32 2032 > GMT > 1 s:CN = CompanyInternal > i:CN = CompanyInternal > a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384 > v:NotBefore: Nov 1 22:04:14 2022 GMT; NotAfter: Oct 29 22:04:14 2032 > GMT > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIERzCCAi+gAwIBAgIUN7zSoFEoRKwSie9d3DoobHH60x4wDQYJKoZIhvcNAQEM > BQAwEjEQMA4GA1UEAxMHQmlvVGVhbTAeFw0yMjExMDEyMjA2MzJaFw0zMjEwMjky > MjA2MzJaMDIxEDAOBgNVBAoTB0Jpb1RlYW0xHjAcBgNVBAMTFWxkYXBzZXJ2ZXIw > MC5jbGFiLmxhYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKBtDPgT > e8wr/sxg+oUiMDvyuROnxEMDvF8LRwhQianBxqQuwuZulvVLXBgWyVRyNjInUDXU > q1Hbf2JVXVkMufO/VjRIlF4lRPC/sgu1srxUdRvddBEO9t8inAMlJ0dvGOaZBwS7 > fKK3+YeIRSleRbXS6ta2shvwxrDTWhiEPL4dgdeD+7J9ll4cbbuHW0YZJvlRJ9xD > VHy70qcZn6ZyDXQt83Mbf78RLioK78S0dKW6eOACKHHSexIGcP8bZOX43XTZJHME > Y7jFSBaMVF+pa0eRj6pTA6U2sFg4puWC1Xkt++1Wpnq9YdB9CqOII3UvdlPVoOHH > oGQ6CmDmIR908kUCAwEAAaN1MHMwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggr > BgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0OBBYEFHKk9dZu3nxATWKqJlXK > 0ekuoRfkMB8GA1UdIwQYMBaAFCTD8jhauoaHVQBgCHanPoW83kRxMA0GCSqGSIb3 > DQEBDAUAA4ICAQCUA72TzDR5evZpTbZAoxZ4O3Xr+gKphB7HHQ4BNZ+zW/AV/rEW > DLTnm3XQ+KPp/1jb1uSsKGqLqQ462rzzYQ5SU98/GxZM8xRxWyTq+wjLFcaUZ93V > HVSm38Y77aK+uhw2qpiMeiKzW/M4UwUYQM4trKMSzBiQz46UPKkzihL5JR/TCcKj > LrT+OhYcbIDfdnf0+jvB75eiWiQXrsX1B0VRVnFR4FqJSH8kD71OLWno9UlTpmWB > xkDrWTW5xJAb+lJT12PRRg8cMRg/GtQSIo8PAPdrm/D6aBQsRtGm8KvIleBgo5FR > htlMVzNyfq35ck8WhjyMQBwegJEbMBDSpYootdNrs5sOtv+CA6qDH6CsatYKr/ke > bu3s167q0x/RAAROcdA6+7eMyrrVyZjv4tqPzfYdLvOg6o7m3kBy1BL56flbd+je > wX4RJvNoQKGrZxKRsfKgS7cJCo3QEoV/RbOzTof3QZ4G+lLE15lI9v9Ad6aaX+Gt > oLHAqxIE1Wld/fmBTBgLL9K5NFfvfINczNLJw/+X3f6e6IjQgT743oJZ4BaNyGn6 > 3YT5EgDAz5hgM4BhOMovUBVgcFsUdZkH3dHrX9OrdgmP737IXlp7tuo8/J0DMPgr > e2I0qGBqCu03PBYl8G4iwF/7UKFy6cyB1srefQPoVQ0//iPQIB5p6LOhUQ== > -----END CERTIFICATE----- > subject=O = CompanyInternal, CN = ldapserver00.clab.lab > issuer=CN = CompanyInternal > --- > No client certificate CA names sent > Peer signing digest: SHA256 > Peer signature type: RSA-PSS > Server Temp Key: X25519, 253 bits > --- > SSL handshake has read 2932 bytes and written 373 bytes > Verification: OK > --- > New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 > Server public key is 2048 bit > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > --- > --- > Post-Handshake New Session Ticket arrived: > SSL-Session: > Protocol : TLSv1.3 > Cipher : TLS_AES_256_GCM_SHA384 > Session-ID: > 21BBA066E20DCEE0C99DA1EF0EA17A9F474DCB10993529D776A053A32EEDB728 > Session-ID-ctx: > Resumption PSK: > 6AC936C1645C80A5DDE93B179632FE59A4AEB15D3E3876B4385C01F769087C6D409E818BE582E550B3261CEED468423B > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 7200 (seconds) > TLS session ticket: > 0000 - 60 81 05 60 76 ea 36 36-e4 97 99 63 43 38 8a 2b > `..`v.66...cC8.+ > 0010 - 24 95 56 e5 af 76 a6 d2-60 82 fa d4 72 91 53 b5 > $.V..v..`...r.S. > 0020 - 4e fc 0d 13 b8 52 97 2a-40 13 83 7d cf 3f 51 aa > N....R.*@..}.?Q. > 0030 - 96 f5 76 ca 14 c1 e7 e4-1d b7 39 53 d9 ee 19 89 > ..v.......9S.... > 0040 - fd eb e0 d9 9f 8d 33 3b-97 cd 1d 0d 8c a4 f4 f4 > ......3;........ > 0050 - 6f ab c2 49 59 b4 1c 67-78 b9 4c 93 03 2d 5c ff > o..IY..gx.L..-\. > 0060 - a9 19 c8 36 a8 23 1b 3c-45 5e 6e 69 f7 8c c4 bb > ...6.#.<E^ni.... > 0070 - d9 d2 a9 86 92 f0 98 94-68 aa eb f2 18 ab ef 59 > ........h......Y > 0080 - 55 96 43 ad 64 06 26 93-c1 41 8c 2b ce db bb fa > U.C.d.&..A.+.... > 0090 - 9d 9f b3 71 fe cc ec d1-f5 e0 02 a8 70 b9 10 3c > ...q........p..< > 00a0 - 42 32 60 d4 ac 94 ce 76-89 3a 0e 6c 95 43 22 e4 > B2`....v.:.l.C". > 00b0 - 89 a4 11 a9 24 a3 9a b4-3e 85 ee bb 1f 07 2f e0 > ....$...>...../. > 00c0 - bf 45 a2 2e 78 a4 51 9f-34 0e e4 87 a8 b4 c3 2a > .E..x.Q.4......* > > Start Time: 1670399902 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > Max Early Data: 0 > --- > read R BLOCK > --- > Post-Handshake New Session Ticket arrived: > SSL-Session: > Protocol : TLSv1.3 > Cipher : TLS_AES_256_GCM_SHA384 > Session-ID: > BBCD67A75D02D4E8A29FC1BC72AF66A58F589AABA8DCF321B809AEDC2F1100EE > Session-ID-ctx: > Resumption PSK: > 2B9BBE1D73BEA62DBB0CDAFE6D25B09FB69F9D53DB02645AA889674CA7D28FF66C8D025F5ECE2015EE228AB9C1A178E9 > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 7200 (seconds) > TLS session ticket: > 0000 - 60 81 05 60 76 ea 36 36-e4 97 99 63 43 38 8a 2b > `..`v.66...cC8.+ > 0010 - 82 ee b5 24 8c 46 a1 ce-81 14 07 fa 50 57 67 78 > ...$.F......PWgx > 0020 - da 6a b0 d8 df 43 d8 fd-74 67 13 61 37 36 e5 ab > .j...C..tg.a76.. > 0030 - cd 3d 32 95 95 55 a0 47-f1 d8 4a 7c 27 aa 64 7d > .=2..U.G..J|'.d} > 0040 - 26 0d 60 8e 29 9c a9 40-6d 6f 59 c1 ab 6a e3 d4 > &.`.)[email protected].. > 0050 - cb cb 96 05 51 46 48 f8-6b 67 53 10 47 30 36 24 > ....QFH.kgS.G06$ > 0060 - f4 ea 62 f7 ac dc 64 b9-10 4e 62 17 75 3a 55 c9 > ..b...d..Nb.u:U. > 0070 - 73 98 41 c6 68 6e ee b9-62 e5 19 71 a1 df 05 62 > s.A.hn..b..q...b > 0080 - 7d 1a 30 dc 46 77 b3 c6-5b b6 fa 4f 2f 34 31 fa > }.0.Fw..[..O/41. > 0090 - bf 1e 9e 26 b8 ff 95 d3-69 7b de c3 91 34 06 6a > ...&....i{...4.j > 00a0 - 9e 2c ee 36 08 9f db 1f-28 44 ef 21 07 74 a8 9b > .,.6....(D.!.t.. > 00b0 - bd 55 f6 8b cb 11 bb 5f-7f 71 ba eb 15 1e 1e 70 > .U....._.q.....p > 00c0 - 36 3e 9d ce 42 2c 60 6d-d0 7f de 60 4a a9 80 da > 6>..B,`m...`J... > > Start Time: 1670399902 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > Max Early Data: 0 > --- > read R BLOCK > > ^-- it stops there. I understand hanging and waiting for further > communication is normal behavior , but I don't think this is where it's > supposed to stop. > > Obviously, CentOS 7 with its older version of SSL has no trouble > connecting. One difference is that on CentOS 7 it says "Secure Renegotiation > IS supported." > > TIA for any help. > > Thanks, > Jarett > > > > > On Dec 7, 2022, at 12:50 AM, Sumit Bose <[email protected] > mailto:[email protected] > wrote: > > > > Am Tue, Dec 06, 2022 at 05:14:34PM -0600 schrieb Jarett DeAngelis: > > > > > > > Hi, > > > > > > I am trying to get SSSD to authenticate against an OpenLDAP > > > directory. I have "debug_level" turned up to 10 but have not been able to > > > figure out what the problem is based on the log. > > > > > > On an Ubuntu 22.04 system I have found that something with > > > TLS is broken when it tries to connect to OpenLDAP, which is why it has > > > failed on that system -- I think this is related to the OS moving to > > > OpenSSL 3 but have not been able to figure out how to fix it. > > > > > > On this CentOS 7 system, you can see that it can find the > > > user, can get properties from the user, but still fails the user login > > > without, as far as I can tell, explaining why. > > > > > > I have pasted our sssd.conf below, and here is a link to my > > > Nextcloud instance where I am hosting the relevant portion of the log (it > > > was too big for me to be able to paste it into Pastebin): > > > https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD<https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD> > > > > > > > > Hi, > > > > there is no authentication attempt covered in the log file. Are you > > sure > > pam_sss.so is included in your PAM configuration and called for the > > specific user? > > > > bye, > > Sumit > > > > > > > > > Hoping someone can help us get to the bottom > > of this. > > > > > > Thanks. > > > > > > Here is our sssd.conf: > > > > > > [sssd] > > > services = nss, pam > > > config_file_version = 2 > > > domains = default > > > certificate_verification = no_verification > > > > > > [nss] > > > > > > [pam] > > > offline_credentials_expiration = 60 > > > > > > [domain/default] > > > debug_level = 10 > > > ldap_id_use_start_tls = False > > > cache_credentials = True > > > ldap_search_base = ou=users,dc=clab,dc=lab > > > id_provider = ldap > > > auth_provider = ldap > > > chpass_provider = ldap > > > access_provider = ldap > > > ldap_uri = ldaps://10.8.8.60:636 > > > ldap_default_bind_dn = cn=admin,dc=clab,dc=lab > > > ldap_default_authtok = definitelyverysecurepassword > > > ldap_tls_reqcert = allow > > > ldap_tls_cacert = > > > /usr/local/share/ca-certificates/mycacert.crt > > > ldap_tls_cacertdir = /usr/local/share/ca-certificates > > > ldap_tls_cert = /etc/ldap/ldapserver00_slapd_cert.pem > > > certificate_verification = no_verification > > > ldap_search_timeout = 50 > > > ldap_network_timeout = 60 > > > ldap_access_order = filter > > > ldap_access_filter = (objectClass=posixAccount) > > > override_homedir = /home/%U > > > override_shell = /bin/bash > > > ldap_user_name = uid > > > auto_private_groups = true > > > sudo_provider = none > > > ldap_account_expire_policy = nds > > > ldap_passwd_policy = shadow > > > > > > > > > > > > > _______________________________________________ > > > sssd-users mailing list -- [email protected] > > > mailto:[email protected] > > > To unsubscribe send an email to > > > [email protected] > > > mailto:[email protected] > > > Fedora Code of Conduct: > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > Do not reply to spam, report it: > > > https://pagure.io/fedora-infrastructure/new_issue > > > > > > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > mailto:[email protected] > > To unsubscribe send an email to > > [email protected] > > mailto:[email protected] > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > > > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
