Am Fri, Jan 13, 2023 at 01:41:28PM -0000 schrieb Bill McGrory: > Hello, > I am looking for clues on how to debug a problem with my configuration for > using LDAP and Yubikey PIV authentication. > I have successfully gotten my sssd config to recognize my ldap server, and > can authenticate and log in to a user from there. > I also am prompted to enter my smartcard. my p11_chiuld.log correctly logs > the presence of my key, and the certs offered up for authentication. > > However, If I configure my pam common-auth so that I only use pam_sss for > auth, and comment out pam_unix, I get 3 failed logging attempts, but It never > asks me for a pin.
Hi, did you, by chance, keep the 'use_first_pass' in the 'auth pam_sss.so' line? This should be removed. If not, please share your PAM configuration as well. bye, Sumit > > I have debug_level set to 10 for all the different sections, but I in looking > at the logs I can't see any particular error that stands out. > > I feel like the last relevant sssd_pam.log entries are > Fri Jan 13 08:33:48 2023) [pam] [cache_req_create_and_add_result] (0x0400): > CR #5: Found 1 entries in domain closed.aerosoftinc.com > (Fri Jan 13 08:33:48 2023) [pam] [cache_req_done] (0x0400): CR #5: Finished: > Success > (Fri Jan 13 08:33:48 2023) [pam] [pd_set_primary_name] (0x0400): User's > primary name is [email protected] > (Fri Jan 13 08:33:48 2023) [pam] [pam_initgr_cache_set] (0x2000): [mcgrory] > added to PAM initgroup cache > (Fri Jan 13 08:33:48 2023) [pam] [pam_dp_send_req] (0x0100): Sending request > with the following data: > (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): command: > SSS_PAM_AUTHENTICATE > (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): domain: > closed.aerosoftinc.com > (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): user: > [email protected] > (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): service: sudo > (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): tty: /dev/pts/1 > (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): ruser: mcgrory > (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): rhost: not set > (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): authtok type: 0 > (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): newauthtok type: 0 > (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): priv: 0 > (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): cli_pid: 109539 > (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): logon name: > mcgrory > (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): flags: 513 > (Fri Jan 13 08:33:48 2023) [pam] [pam_dom_forwarder] (0x0100): > pam_dp_send_req returned 0 > (Fri Jan 13 08:33:48 2023) [pam] [sbus_dispatch] (0x4000): Dispatching. > (Fri Jan 13 08:33:48 2023) [pam] [pam_dp_send_req_done] (0x0200): received: > [7 (Authentication failure)][closed.aerosoftinc.com] > > > > this is from sssd_closed.aerosoftinc.com.log > > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] > (0x0100): command: SSS_PAM_AUTHENTICATE > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] > (0x0100): domain: closed.aerosoftinc.com > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] > (0x0100): user: [email protected] > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] > (0x0100): service: sudo > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] > (0x0100): tty: /dev/pts/1 > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] > (0x0100): ruser: mcgrory > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] > (0x0100): rhost: > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] > (0x0100): authtok type: 0 > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] > (0x0100): priv: 0 > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] > (0x0100): cli_pid: 109539 > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] > (0x0100): logon name: not set > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] > (0x0100): flags: 0 > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_attach_req] > (0x0400): DP Request [PAM Authenticate #10]: New request. Flags [0000]. > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_attach_req] > (0x0400): Number of active DP request: 1 > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] > [sss_domain_get_state] (0x1000): Domain closed.aerosoftinc.com is Active > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_req_done] > (0x0400): DP Request [PAM Authenticate #10]: Request handler finished [0]: > Success > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [_dp_req_recv] > (0x0400): DP Request [PAM Authenticate #10]: Receiving request data. > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_req_destructor] > (0x0400): DP Request [PAM Authenticate #10]: Request removed. > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_req_destructor] > (0x0400): Number of active DP request: 0 > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_method_enabled] > (0x0400): Target selinux is not configured > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] > [sbus_issue_request_done] (0x0400): sssd.dataprovider.pamHandler: Success > (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [sbus_dispatch] > (0x4000): Dispatching. > > I see no evidence in that log of failure, but I'm not sure what I'm looking > for? > > > > > my sssd.conf file is as follows > > [sssd] > domains = closed.aerosoftinc.com > debug_level = 10 > [pam] > pam_cert_auth = true > pam_verbosity = 3 > pam_cert_db_path = /etc/sssd/pki/aerosoft_ca.pem > debug_level = 10 > > [domain/closed.aerosoftinc.com] > debug_level = 10 > id_provider = ldap > selinux_provider = none > auth_provider = ldap > ldap_uri = ldaps://backup.closed.aerosoftinc.com > cache_credentials = false > ldap_search_base = dc=closed,dc=aerosoftinc,dc=com > > [certmap/closed.aerosoftinc.com/main] > matchrule = <ISSUER>^CN=AeroSoft CA 2,O=AeroSoft > Inc,L=Blacksburg,ST=Virginia,C=US$ > maprule = (gecos={subject_dn}) > domains = closed.aerosoftinc.com > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
