Hello, I am looking for clues on how to debug a problem with my configuration for using LDAP and Yubikey PIV authentication. I have successfully gotten my sssd config to recognize my ldap server, and can authenticate and log in to a user from there. I also am prompted to enter my smartcard. my p11_chiuld.log correctly logs the presence of my key, and the certs offered up for authentication.
However, If I configure my pam common-auth so that I only use pam_sss for auth, and comment out pam_unix, I get 3 failed logging attempts, but It never asks me for a pin. I have debug_level set to 10 for all the different sections, but I in looking at the logs I can't see any particular error that stands out. I feel like the last relevant sssd_pam.log entries are Fri Jan 13 08:33:48 2023) [pam] [cache_req_create_and_add_result] (0x0400): CR #5: Found 1 entries in domain closed.aerosoftinc.com (Fri Jan 13 08:33:48 2023) [pam] [cache_req_done] (0x0400): CR #5: Finished: Success (Fri Jan 13 08:33:48 2023) [pam] [pd_set_primary_name] (0x0400): User's primary name is [email protected] (Fri Jan 13 08:33:48 2023) [pam] [pam_initgr_cache_set] (0x2000): [mcgrory] added to PAM initgroup cache (Fri Jan 13 08:33:48 2023) [pam] [pam_dp_send_req] (0x0100): Sending request with the following data: (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): domain: closed.aerosoftinc.com (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): user: [email protected] (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): service: sudo (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): tty: /dev/pts/1 (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): ruser: mcgrory (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): rhost: not set (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): authtok type: 0 (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): priv: 0 (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): cli_pid: 109539 (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): logon name: mcgrory (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): flags: 513 (Fri Jan 13 08:33:48 2023) [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Fri Jan 13 08:33:48 2023) [pam] [sbus_dispatch] (0x4000): Dispatching. (Fri Jan 13 08:33:48 2023) [pam] [pam_dp_send_req_done] (0x0200): received: [7 (Authentication failure)][closed.aerosoftinc.com] this is from sssd_closed.aerosoftinc.com.log (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): domain: closed.aerosoftinc.com (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): user: [email protected] (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): service: sudo (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): ruser: mcgrory (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): rhost: (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): authtok type: 0 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): priv: 0 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): cli_pid: 109539 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): logon name: not set (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): flags: 0 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_attach_req] (0x0400): DP Request [PAM Authenticate #10]: New request. Flags [0000]. (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [sss_domain_get_state] (0x1000): Domain closed.aerosoftinc.com is Active (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #10]: Request handler finished [0]: Success (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #10]: Receiving request data. (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #10]: Request removed. (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_method_enabled] (0x0400): Target selinux is not configured (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.pamHandler: Success (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [sbus_dispatch] (0x4000): Dispatching. I see no evidence in that log of failure, but I'm not sure what I'm looking for? my sssd.conf file is as follows [sssd] domains = closed.aerosoftinc.com debug_level = 10 [pam] pam_cert_auth = true pam_verbosity = 3 pam_cert_db_path = /etc/sssd/pki/aerosoft_ca.pem debug_level = 10 [domain/closed.aerosoftinc.com] debug_level = 10 id_provider = ldap selinux_provider = none auth_provider = ldap ldap_uri = ldaps://backup.closed.aerosoftinc.com cache_credentials = false ldap_search_base = dc=closed,dc=aerosoftinc,dc=com [certmap/closed.aerosoftinc.com/main] matchrule = <ISSUER>^CN=AeroSoft CA 2,O=AeroSoft Inc,L=Blacksburg,ST=Virginia,C=US$ maprule = (gecos={subject_dn}) domains = closed.aerosoftinc.com _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
