#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
From: "Sumit Bose" <sbose@redhat.com>
To: sssd-users@lists.fedorahosted.org
Sent: Wednesday, March 5, 2014 2:01:13 AM
Subject: Re: [SSSD-users] Problem Authenticating with Sun DS 5.2
On Tue, Mar 04, 2014 at 03:31:36PM -0600, Matt Mencel wrote:
> I am running Centos 6.5 and installed the latest SSSD from the IPA repo, 1.11.90.
>
>
> I've got it working to the point where I can run the 'id' command and it will return an LDAP user. When I try to authenticate using SSH however I just get "Permission denied". The SSSD log shows the bind is invalid, as if I'm using a bad password or bind DN.
>
>
>
> (Tue Mar 4 15:20:29 2014) [sssd[be[LDAP]]] [simple_bind_done] (0x0400): Bind result: Invalid credentials(49), no errmsg set
>
>
>
>
> On my LDAP server I see that it is returning err=49.
>
>
>
> [04/Mar/2014:15:22:52 -0600] conn=2287156 op=-1 msgId=-1 - fd=520 slot=520 LDAPS connection from 10.50.2.35 to 10.50.2.10
> [04/Mar/2014:15:22:52 -0600] conn=2287156 op=-1 msgId=-1 - SSL 128-bit RC4
> [04/Mar/2014:15:22:52 -0600] conn=2287156 op=0 msgId=1 - BIND dn="uid=ACCOUNT,ou=People,dc=here,dc=com" method=128 version=3
> [04/Mar/2014:15:22:52 -0600] conn=2287156 op=0 msgId=1 - RESULT err=49 tag=97 nentries=0 etime=0
> [04/Mar/2014:15:22:52 -0600] conn=2287156 op=1 msgId=2 - UNBIND
> [04/Mar/2014:15:22:52 -0600] conn=2287156 op=1 msgId=-1 - closing - U1
> [04/Mar/2014:15:22:52 -0600] conn=2287156 op=-1 msgId=-1 - closed.
>
>
>
>
> I've tested over and over and I know I'm using the correct password. Tried multiple accounts all with their correct passwords and get the same result.
>
>
> I'm not using TLS, just LDAPS on port 636. Could it be that SSSD is using RC4 encryption and our LDAP server doesn't support RC4? Just not sure where else to go with this.
Can you check or send you PAM configuration. I would assume that the
right password gets already lost in the PAM stack and SSSD never sees
it.
HTH
bye,
Sumit
>
>
> This is my SSSD config.
>
>
>
> [domain/LDAP]
>
>
> auth_provider = ldap
> cache_credentials = True
> chpass_provider = ldap
> entry_cache_timeout = 600
> enumerate = false
>
>
> id_provider = ldap
>
>
> ldap_id_use_start_tls = False
>
>
> ldap_schema = rfc2307bis
> ldap_search_base = dc=here,dc=com
>
>
> ldap_user_search_base = ou=people,dc=here,dc=com
> ldap_user_object_class = myObjClass
> ldap_user_name = uid
>
>
> ldap_group_seach_base = ou=groups,dc=here,dc=com
> ldap_group_object_class = groupofuniquenames
> ldap_page_size = 100
>
>
> ldap_uri = ldaps://ldap.here.com:636
> debug_level = 9
>
>
> ldap_default_bind_dn = cn=BINDUSER,ou=applications,dc=here,dc=com
> ldap_default_authtok = XXXXXXXX
>
>
> ldap_network_timeout = 3
>
>
> ldap_tls_cacertdir = /etc/openclad/cacert
> ldap_tls_reqcert = never
>
>
> ldap_access_filter = (department=My Department)
>
>
> [sssd]
> config_file_version = 2
> services = nss, pam
> domains = LDAP
>
>
> [nss]
> filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd
>
>
> [pam]
>
>
>
>
>
> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users