On Mon, Nov 14, 2016 at 10:00:27PM +0100, Lukas Slebodnik wrote:
On (14/11/16 17:25), Ronny Forberger wrote:
>
>
>> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November 2016 um 17:18
>> geschrieben:
>>
>>
>> On (14/11/16 17:09), Ronny Forberger wrote:
>> >> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November 2016 um
11:36
>> >> geschrieben:
>> >>
>> >>
>> >> On (14/11/16 11:34), Ronny Forberger wrote:
>> >> >> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14.
November 2016 um 10:04
>> >> >> geschrieben:
>> >> >>
>> >> >>
>> >> >> On (13/11/16 16:03), ronnyforberger(a)ronnyforberger.de wrote:
>> >> >> >I found out, that /var/run/sss needed mode 0755.
>> >> >> >
>> >> >> >But I still cannot use passwords.
>> >> >> >My /etc/pam.d/system looks like the following:
>> >> >> >
>> >> >> What do you meand by cannot use password?
>> >> >> How do you authenticate ssh (or login on tty)
>> >> >> Are you able to resolve user with "getent passwd" or
"id"?
>> >> >I cannot login using password or use sudo using password. Neigher
by ssh,
>> >> >login
>> >> >on tty.
>> >> >
>> >> >I can see the users through getent passwd and id.
>> >> >
>> >> >The debug log of pam_sssd.so says:
>> >> >
>> >> >
>> >> >Nov 13 17:31:59 macy sudo: in openpam_dispatch():
>> >> >/usr/local/lib/pam_sss.so:
>> >> >pam_sm_authenticate(): authentication error
>> >> >Nov 13 17:32:01 macy su: in openpam_dispatch(): calling
pam_sm_setcred()
>> >> >in
>> >> >/usr/local/lib/pam_sss.so
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering:
PAM_OLDAUTHTOK
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >> >Nov 13 17:32:01 macy su: in pam_set_data(): entering:
>> >> >'pam_sss:fd_destructor'
>> >> >Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS
>> >> >Nov 13 17:32:01 macy su: in openpam_dispatch():
/usr/local/lib/pam_sss.so:
>> >> >pam_sm_setcred(): success
>> >> >
>> >> Those messages are from syslog.
>> >> You need to find a problem in sssd logs.
>> >>
https://fedorahosted.org/sssd/wiki/Troubleshooting
>> >Ok, here is the PAM log from sssd:
>> >
>> >(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100):
entering
>> >pam_cmd_acct_mgmt
>> >(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
>> >PAM_ACCT_MGMT
>> >(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
not
>> >set
>> There are just log messages from debug_level 0x0100.
>>
>> I assume you set "debug_level = 0x0100" into pam section.
>> But 0x0100 is a bitmask style and does not contain debug
>> messages with lover debug level.
>>
>> Could you sed "debug_level = 0x03f0" or non-bitmask version
>> "debug_level = 7"?
>>
>> Please attach log sssd_pam.log and sssd_$domain.log files
>> as attachments to the mail.
>Here is the log file.
>
>Best regards,
>Ronny
>>
>> LS
>>
>___________________________________
>Ronny Forberger
>ronnyforberger at ronnyforberger.de
>PGP:
http://www.ronnyforberger.de/pgp/email-encryption.html
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [monitor_common_send_id] (0x0100): Sending ID:
(pam,1)
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_names_init_from_args] (0x0100): Using re
[(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^(a)\\]+)$))].
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq format
[%1$s@%2$s].
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_fqnames_init] (0x0100): Found the pattern
for domain name
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [dp_common_send_id] (0x0100): Sending ID to
DP: (1,PAM)
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sysdb_domain_init_internal] (0x0200): DB File
for ronnyforberger.de: /var/db/sss/cache_ronnyforberger.de.ldb
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'root' matched without domain, user is root
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'root' matched without domain, user is root
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum
file descriptors set to [8192]
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [id_callback] (0x0100): Got id ack and version
(1) from Monitor
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [dp_id_callback] (0x0100): Got id ack and
version (1) from DP
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received
client version [3].
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered
version [3].
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering
pam_cmd_acct_mgmt
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'rf' matched without domain, user is rf
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_ACCT_MGMT
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting
info for [rf(a)ronnyforberger.de]
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request
with the following data:
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_ACCT_MGMT
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
ronnyforberger.de
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req
returned 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received:
[0][ronnyforberger.de]
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with
result [0].
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received
client version [3].
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered
version [3].
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering
pam_cmd_setcred
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'rf' matched without domain, user is rf
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_SETCRED
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting
info for [rf(a)ronnyforberger.de]
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request
with the following data:
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_SETCRED
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
ronnyforberger.de
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req
returned 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received:
[0][ronnyforberger.de]
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with
result [0].
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received
client version [3].
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered
version [3].
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering
pam_cmd_authenticate
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'rf' matched without domain, user is rf
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36187
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting
info for [rf(a)ronnyforberger.de]
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request
with the following data:
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
ronnyforberger.de
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
"authtok type: 0" means that no password was sent your should see a '1'
here for password authentication.
Have you been prompted for a password? Depending on where pam_sss is
used in the PAM configuration you have to use different option. E.g. if
there is a PAM module called before pam_sss which prompts for a password
you have to use the 'use_first_pass' option to tell pam_sss to not
prompt for a password. If pam_sss is the first module which prompts for
a password you should add 'forward_pass' to tell pam_sss to keep the
password in the PAM data so that other PAM modules can use it as well
(if needed). Please see man pam_sss for details.
HTH
bye,
Sumit
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
type: 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36187
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received:
[9][ronnyforberger.de]
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called
with result [9].
> authentication for "sudo" failed here. 9 is a return code from
PAM_AUTH_ERR.
>
> I could also see the same problem with authentication for "dovecot"
service
> and the same user "rf". But I could not see any attempt for authentication
> with ssh or login(tty). I would recommend to start testing with something
> simpler rather then sudo.
>
> BTW more details shoudl be available in domain log file
>
https://fedorahosted.org/sssd/wiki/Troubleshooting#TroubleshootingAuthent...
>
> LS
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org