Did you check your Pam config? On Sat, Sep 14, 2024, 6:42 PM GrahamC <gcfed...@crowie.net> wrote:
> > Hi, > > I have existing systems that authenticate via LDAP using SSSD and > have recently added a Fedora 40 system, except that it denies login to > all of the LDAP users. It can see the users (user and groups owning > files are displayed correctly, and the "finger" command finds the > users), however for some reason it always fails to authenticate passwords. > > The following is from /var/log/secure > > Sep 15 11:26:27 ext5 sshd[265914]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.131.55 > user=graham > Sep 15 11:26:29 ext5 sshd[265914]: Failed password for graham from > 192.168.131.55 port 60366 ssh2 > > The LDAP server is a Fedora 34 but there are many older systems (back to > Fedora 19) still authenticating via LDAP. I remember many years ago (I > think it was when I was converting from NIS) that I had to change the > password format, so maybe I have something old in my setup (passwords > appear to be stored as a 52 character encrypted string). > > I am looking for some pointers as to where to look for testing and > troubleshooting this issue. Are there any tools to test sssd > authentication? Or any other information that may help me? > > Thank you > > > /etc/nsswitch contains (on both the working Fedora 34 and the not > working Fedora 40 systems) > > passwd: sss files systemd > shadow: files > group: sss files systemd > hosts: files myhostname dns > services: sss files > netgroup: sss files > automount: sss files > aliases: files > ethers: files > gshadow: files > networks: files dns > protocols: files > publickey: files > rpc: files > > /etc/sssd/sssd.conf contains (on both the working Fedora 34 and the not > working Fedora 40 systems) - domain name changed. > > [sssd] > config_file_version = 2 > domains = LDAP > services = nss, pam > > [nss] > filter_groups = root > filter_users = root > > [pam] > > [domain/LDAP] > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > ldap_uri = ldap://ldap.mydomain.net > ldap_chpass_uri = ldap://ldap.mydomain.net > ldap_search_base = dc=mydomain,dc=net > ldap_id_use_start_tls = True > cache_credentials = True > ldap_tls_cacertdir = /etc/openldap/certs > ldap_tls_reqcert = allow > > > -- > This email has been checked for viruses by AVG antivirus software. > www.avg.com > -- > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
