Problem was the loginShell attribute in LDAP was "/bin/csh" and that shell did
not exist on my client.
- SSH failed to bind (LDAP error 49)
- Local console would bind but not login.
- 'su - account' would bind, not login, and presented an error indicating /bin/csh
was not present.
Switched my loginShell attribute to /bin/bash and all worked as it should.
Matt
----- Original Message -----
From: "Matt Mencel" <MR-Mencel(a)wiu.edu>
To: "End-user discussions about the System Security Services Daemon"
<sssd-users(a)lists.fedorahosted.org>
Sent: Wednesday, March 5, 2014 8:25:30 AM
Subject: Re: [SSSD-users] Problem Authenticating with Sun DS 5.2
This is the /etc/pam.d/system-auth file. Is that what you are looking for?
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
----- Original Message -----
From: "Sumit Bose" <sbose(a)redhat.com>
To: sssd-users(a)lists.fedorahosted.org
Sent: Wednesday, March 5, 2014 2:01:13 AM
Subject: Re: [SSSD-users] Problem Authenticating with Sun DS 5.2
On Tue, Mar 04, 2014 at 03:31:36PM -0600, Matt Mencel wrote:
I am running Centos 6.5 and installed the latest SSSD from the IPA
repo, 1.11.90.
I've got it working to the point where I can run the 'id' command and it will
return an LDAP user. When I try to authenticate using SSH however I just get
"Permission denied". The SSSD log shows the bind is invalid, as if I'm using
a bad password or bind DN.
(Tue Mar 4 15:20:29 2014) [sssd[be[LDAP]]] [simple_bind_done] (0x0400): Bind result:
Invalid credentials(49), no errmsg set
On my LDAP server I see that it is returning err=49.
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=-1 msgId=-1 - fd=520 slot=520 LDAPS
connection from 10.50.2.35 to 10.50.2.10
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=-1 msgId=-1 - SSL 128-bit RC4
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=0 msgId=1 - BIND
dn="uid=ACCOUNT,ou=People,dc=here,dc=com" method=128 version=3
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=0 msgId=1 - RESULT err=49 tag=97 nentries=0
etime=0
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=1 msgId=2 - UNBIND
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=1 msgId=-1 - closing - U1
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=-1 msgId=-1 - closed.
I've tested over and over and I know I'm using the correct password. Tried
multiple accounts all with their correct passwords and get the same result.
I'm not using TLS, just LDAPS on port 636. Could it be that SSSD is using RC4
encryption and our LDAP server doesn't support RC4? Just not sure where else to go
with this.
Can you check or send you PAM configuration. I would assume that the
right password gets already lost in the PAM stack and SSSD never sees
it.
HTH
bye,
Sumit
This is my SSSD config.
[domain/LDAP]
auth_provider = ldap
cache_credentials = True
chpass_provider = ldap
entry_cache_timeout = 600
enumerate = false
id_provider = ldap
ldap_id_use_start_tls = False
ldap_schema = rfc2307bis
ldap_search_base = dc=here,dc=com
ldap_user_search_base = ou=people,dc=here,dc=com
ldap_user_object_class = myObjClass
ldap_user_name = uid
ldap_group_seach_base = ou=groups,dc=here,dc=com
ldap_group_object_class = groupofuniquenames
ldap_page_size = 100
ldap_uri = ldaps://ldap.here.com:636
debug_level = 9
ldap_default_bind_dn = cn=BINDUSER,ou=applications,dc=here,dc=com
ldap_default_authtok = XXXXXXXX
ldap_network_timeout = 3
ldap_tls_cacertdir = /etc/openclad/cacert
ldap_tls_reqcert = never
ldap_access_filter = (department=My Department)
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[nss]
filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users