The attached trace file in this mail has trace in which it is asking for password.
Let me know if this is helpful

Thanks


On Wed, Nov 16, 2011 at 7:49 PM, Nitesh Mehare <nitesh26@gmail.com> wrote:
Thanks Jakub for looking into the issue..
According to your suggesstion I have modified my system-auth file..Now my current config looks like this...


bash-3.2# cat /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    /lib64/security/pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] /lib64/security/pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    /lib64/security/pam_sss.so use_authtok
password    required      pam_deny.so

#session     required      pam_mkhomedir.so umask=0022 skel=/etc/skel/
#session     optional      pam_keyinit.so revoke
#session     required      pam_limits.so
#session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
#session     sufficient    /lib64/security/pam_sss.so
#session     required      pam_unix.so


session  optional   pam_keyinit.so revoke
session  required   pam_limits.so
session  optional   pam_mkhomedir.so umask=0022 skel=/etc/skel/
session  [success=1 default=ignore] pam_succeed_if.so service in crond quiet use _uid
session  required   pam_unix.so
session  optional   pam_sss.so
bash-3.2#

After this I have restarted the sssd processs using the cmd service sssd restart

Then I tried the authentication with strace su - nitback1 which gave the output.which is in the attached file .
But this did not prompt me for any password it stopped at the below like
rt_sigprocmask(SIG_UNBLOCK, [ALRM TERM], NULL, 8) = 0
wait4(-1, $



Tha above trace I have take with selinux is disabled.The setting of selinux is as follows

bash-3.2# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted
bash-3.2#



I'm not sure how to check for AVC denials when selinux is set to enforcing.Could you tell me how to do that.

Thanks...










On Wed, Nov 16, 2011 at 7:25 PM, Jakub Hrozek <jhrozek@redhat.com> wrote:
On Tue, Nov 15, 2011 at 05:24:08PM +0530, Nitesh Mehare wrote:
>    is that the output which is expected in the trace.
>    Something missing in the trace which suggest any config problem???
>
>    On Tue, Nov 15, 2011 at 5:22 PM, Nitesh Mehare <nitesh26@gmail.com> wrote:
>
>      This is the output of strace for the user which is in ldap server.
>
>      bash-3.2# strace -e open su - nitback1
>      open("/etc/ld.so.cache", O_RDONLY)A A A A A  = 3
>      open("/lib64/libpam.so.0", O_RDONLY)A A A  = 3
>      open("/lib64/libpam_misc.so.0", O_RDONLY) = 3
>      open("/lib64/libcrypt.so.1", O_RDONLY)A  = 3
>      open("/lib64/libdl.so.2", O_RDONLY)A A A A  = 3
>      open("/lib64/libc.so.6", O_RDONLY)A A A A A  = 3
>      open("/lib64/libaudit.so.0", O_RDONLY)A  = 3
>      open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
>      open("/etc/nsswitch.conf", O_RDONLY)A A A  = 3
>      open("/etc/ld.so.cache", O_RDONLY)A A A A A  = 3
>      open("/lib64/libnss_files.so.2", O_RDONLY) = 3
>      open("/etc/passwd", O_RDONLY)A A A A A A A A A A  = 3
>      open("/etc/ld.so.cache", O_RDONLY)A A A A A  = 3
>      open("/lib64/libnss_sss.so.2", O_RDONLY) = 3
>      open("/etc/pam.d/su-l", O_RDONLY)A A A A A A  = 4
>      open("/etc/pam.d/su", O_RDONLY)A A A A A A A A  = 5
>      open("/lib64/security/pam_rootok.so", O_RDONLY) = 6
>      open("/etc/ld.so.cache", O_RDONLY)A A A A A  = 6
>      open("/lib64/libselinux.so.1", O_RDONLY) = 6
>      open("/lib64/libsepol.so.1", O_RDONLY)A  = 6
>      open("/etc/selinux/config", O_RDONLY)A A  = 6
>      open("/proc/mounts", O_RDONLY)A A A A A A A A A  = 6
>      open("/etc/pam.d/system-auth", O_RDONLY) = 6
>      open("/lib64/security/pam_env.so", O_RDONLY) = 7
>      open("/lib64/security/pam_unix.so", O_RDONLY) = 7
>      open("/etc/ld.so.cache", O_RDONLY)A A A A A  = 7
>      open("/usr/lib64/libcrack.so.2", O_RDONLY) = 7
>      open("/lib64/libnsl.so.1", O_RDONLY)A A A  = 7
>      open("/lib64/security/pam_succeed_if.so", O_RDONLY) = 7
>      open("/lib64/security/pam_sss.so", O_RDONLY) = 7

So it seems pam_sss is found ^^^^

I have one suggestion as per the system-auth PAM config, I think the
session is not correct, authconfig configures the PAM stack like this:
---
session  optional   pam_keyinit.so revoke
session  required   pam_limits.so
session  optional   pam_mkhomedir.so umask=0022 skel=/etc/skel/
session  [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session  required   pam_unix.so
session  optional   pam_sss.so
---

Can you check two more things for me? Can you look if you get any AVC
denials provided SELinux is set to enforcing (or retry with setenforce 0
set for that test).

Also, can you send the whole strace output? IOW, run:
strace su - nitback1
ideally as non-root so you're prompted for password
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel