Sumit Bose <sbose(a)redhat.com> hat am 15. November 2016 um 10:05
geschrieben:
On Mon, Nov 14, 2016 at 10:00:27PM +0100, Lukas Slebodnik wrote:
> On (14/11/16 17:25), Ronny Forberger wrote:
> >
> >
> >> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November 2016 um
17:18
> >> geschrieben:
> >>
> >>
> >> On (14/11/16 17:09), Ronny Forberger wrote:
> >> >> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November
2016 um
> >> >> 11:36
> >> >> geschrieben:
> >> >>
> >> >>
> >> >> On (14/11/16 11:34), Ronny Forberger wrote:
> >> >> >> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14.
November 2016 um
> >> >> >> 10:04
> >> >> >> geschrieben:
> >> >> >>
> >> >> >>
> >> >> >> On (13/11/16 16:03), ronnyforberger(a)ronnyforberger.de
wrote:
> >> >> >> >I found out, that /var/run/sss needed mode 0755.
> >> >> >> >
> >> >> >> >But I still cannot use passwords.
> >> >> >> >My /etc/pam.d/system looks like the following:
> >> >> >> >
> >> >> >> What do you meand by cannot use password?
> >> >> >> How do you authenticate ssh (or login on tty)
> >> >> >> Are you able to resolve user with "getent
passwd" or "id"?
> >> >> >I cannot login using password or use sudo using password.
Neigher by
> >> >> >ssh,
> >> >> >login
> >> >> >on tty.
> >> >> >
> >> >> >I can see the users through getent passwd and id.
> >> >> >
> >> >> >The debug log of pam_sssd.so says:
> >> >> >
> >> >> >
> >> >> >Nov 13 17:31:59 macy sudo: in openpam_dispatch():
> >> >> >/usr/local/lib/pam_sss.so:
> >> >> >pam_sm_authenticate(): authentication error
> >> >> >Nov 13 17:32:01 macy su: in openpam_dispatch(): calling
> >> >> >pam_sm_setcred()
> >> >> >in
> >> >> >/usr/local/lib/pam_sss.so
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering:
PAM_SERVICE
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning
PAM_SUCCESS
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering:
PAM_USER
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning
PAM_SUCCESS
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning
PAM_SUCCESS
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering:
PAM_RUSER
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning
PAM_SUCCESS
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering:
PAM_RHOST
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning
PAM_SUCCESS
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering:
PAM_AUTHTOK
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning
PAM_SUCCESS
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering:
PAM_OLDAUTHTOK
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning
PAM_SUCCESS
> >> >> >Nov 13 17:32:01 macy su: in pam_set_data(): entering:
> >> >> >'pam_sss:fd_destructor'
> >> >> >Nov 13 17:32:01 macy su: in pam_set_data(): returning
PAM_SUCCESS
> >> >> >Nov 13 17:32:01 macy su: in openpam_dispatch():
> >> >> >/usr/local/lib/pam_sss.so:
> >> >> >pam_sm_setcred(): success
> >> >> >
> >> >> Those messages are from syslog.
> >> >> You need to find a problem in sssd logs.
> >> >>
https://fedorahosted.org/sssd/wiki/Troubleshooting
> >> >Ok, here is the PAM log from sssd:
> >> >
> >> >(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100):
> >> >entering
> >> >pam_cmd_acct_mgmt
> >> >(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100):
> >> >command:
> >> >PAM_ACCT_MGMT
> >> >(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100):
> >> >domain: not
> >> >set
> >> There are just log messages from debug_level 0x0100.
> >>
> >> I assume you set "debug_level = 0x0100" into pam section.
> >> But 0x0100 is a bitmask style and does not contain debug
> >> messages with lover debug level.
> >>
> >> Could you sed "debug_level = 0x03f0" or non-bitmask version
> >> "debug_level = 7"?
> >>
> >> Please attach log sssd_pam.log and sssd_$domain.log files
> >> as attachments to the mail.
> >Here is the log file.
> >
> >Best regards,
> >Ronny
> >>
> >> LS
> >>
> >___________________________________
> >Ronny Forberger
> >ronnyforberger at ronnyforberger.de
> >PGP:
http://www.ronnyforberger.de/pgp/email-encryption.html
>
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [monitor_common_send_id] (0x0100):
> >Sending ID: (pam,1)
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_names_init_from_args] (0x0100):
> >Using re
>
>[(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^(a)\\]+)$))].
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_fqnames_init] (0x0100): Using
> >fq format [%1$s@%2$s].
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_fqnames_init] (0x0100): Found
> >the pattern for domain name
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [dp_common_send_id] (0x0100):
> >Sending ID to DP: (1,PAM)
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sysdb_domain_init_internal]
> >(0x0200): DB File for ronnyforberger.de:
> >/var/db/sss/cache_ronnyforberger.de.ldb
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): name 'root' matched without domain, user is root
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): using default domain [(null)]
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): name 'root' matched without domain, user is root
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): using default domain [(null)]
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [responder_set_fd_limit] (0x0100):
> >Maximum file descriptors set to [8192]
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [id_callback] (0x0100): Got id ack
> >and version (1) from Monitor
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [dp_id_callback] (0x0100): Got id
> >ack and version (1) from DP
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> >Received client version [3].
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> >Offered version [3].
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100):
> >entering pam_cmd_acct_mgmt
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): name 'rf' matched without domain, user is rf
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): using default domain [(null)]
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
> >PAM_ACCT_MGMT
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
> >not set
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service:
> >su
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
> >/dev/pts/0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> >root
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> >not set
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok
> >type: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100):
> >newauthtok type: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
> >36168
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_check_user_search] (0x0100):
> >Requesting info for [rf(a)ronnyforberger.de]
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
> >request with the following data:
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
> >PAM_ACCT_MGMT
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
> >ronnyforberger.de
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service:
> >su
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
> >/dev/pts/0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> >root
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> >not set
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok
> >type: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100):
> >newauthtok type: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
> >36168
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> >pam_dp_send_req returned 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100):
> >received: [0][ronnyforberger.de]
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> >called with result [0].
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> >Received client version [3].
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> >Offered version [3].
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering
> >pam_cmd_setcred
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): name 'rf' matched without domain, user is rf
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): using default domain [(null)]
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
> >PAM_SETCRED
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
> >not set
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service:
> >su
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
> >/dev/pts/0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> >root
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> >not set
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok
> >type: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100):
> >newauthtok type: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
> >36168
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_check_user_search] (0x0100):
> >Requesting info for [rf(a)ronnyforberger.de]
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
> >request with the following data:
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
> >PAM_SETCRED
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
> >ronnyforberger.de
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service:
> >su
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
> >/dev/pts/0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> >root
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> >not set
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok
> >type: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100):
> >newauthtok type: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
> >36168
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> >pam_dp_send_req returned 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100):
> >received: [0][ronnyforberger.de]
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> >called with result [0].
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [client_recv] (0x0200): Client
> >disconnected!
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> >Received client version [3].
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> >Offered version [3].
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_cmd_authenticate] (0x0100):
> >entering pam_cmd_authenticate
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): name 'rf' matched without domain, user is rf
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): using default domain [(null)]
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
> >PAM_AUTHENTICATE
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
> >not set
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): service:
> >sudo
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
> >/dev/pts/0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> >not set
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok
> >type: 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100):
> >newauthtok type: 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
> >36187
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_check_user_search] (0x0100):
> >Requesting info for [rf(a)ronnyforberger.de]
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
> >request with the following data:
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
> >PAM_AUTHENTICATE
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
> >ronnyforberger.de
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): service:
> >sudo
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
> >/dev/pts/0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> >not set
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok
> >type: 0
"authtok type: 0" means that no password was sent your should see a
'1'
here for password authentication.
Have you been prompted for a password? Depending on where pam_sss is
used in the PAM configuration you have to use different option. E.g. if
there is a PAM module called before pam_sss which prompts for a password
you have to use the 'use_first_pass' option to tell pam_sss to not
prompt for a password. If pam_sss is the first module which prompts for
a password you should add 'forward_pass' to tell pam_sss to keep the
password in the PAM data so that other PAM modules can use it as well
(if needed). Please see man pam_sss for details.
It was the permissions on /etc/krb5.conf and /usr/local/etc/krb5.conf.
Thanks.
Best regards,
Ronny
HTH
bye,
Sumit
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100):
> >newauthtok type: 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
> >36187
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> >pam_dp_send_req returned 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100):
> >received: [9][ronnyforberger.de]
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> >called with result [9].
> authentication for "sudo" failed here. 9 is a return code from
PAM_AUTH_ERR.
>
> I could also see the same problem with authentication for "dovecot"
service
> and the same user "rf". But I could not see any attempt for
authentication
> with ssh or login(tty). I would recommend to start testing with something
> simpler rather then sudo.
>
> BTW more details shoudl be available in domain log file
>
https://fedorahosted.org/sssd/wiki/Troubleshooting#TroubleshootingAuthent...
>
> LS
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
___________________________________
Ronny Forberger
ronnyforberger at ronnyforberger.de
PGP: