Hi,
I have existing systems that authenticate via LDAP using SSSD and have recently added a Fedora 40 system, except that it denies login to all of the LDAP users. It can see the users (user and groups owning files are displayed correctly, and the "finger" command finds the users), however for some reason it always fails to authenticate passwords.
The following is from /var/log/secure
Sep 15 11:26:27 ext5 sshd[265914]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.131.55 user=graham Sep 15 11:26:29 ext5 sshd[265914]: Failed password for graham from 192.168.131.55 port 60366 ssh2
The LDAP server is a Fedora 34 but there are many older systems (back to Fedora 19) still authenticating via LDAP. I remember many years ago (I think it was when I was converting from NIS) that I had to change the password format, so maybe I have something old in my setup (passwords appear to be stored as a 52 character encrypted string).
I am looking for some pointers as to where to look for testing and troubleshooting this issue. Are there any tools to test sssd authentication? Or any other information that may help me?
Thank you
/etc/nsswitch contains (on both the working Fedora 34 and the not working Fedora 40 systems)
passwd: sss files systemd shadow: files group: sss files systemd hosts: files myhostname dns services: sss files netgroup: sss files automount: sss files aliases: files ethers: files gshadow: files networks: files dns protocols: files publickey: files rpc: files
/etc/sssd/sssd.conf contains (on both the working Fedora 34 and the not working Fedora 40 systems) - domain name changed.
[sssd] config_file_version = 2 domains = LDAP services = nss, pam
[nss] filter_groups = root filter_users = root
[pam]
[domain/LDAP] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap.mydomain.net ldap_chpass_uri = ldap://ldap.mydomain.net ldap_search_base = dc=mydomain,dc=net ldap_id_use_start_tls = True cache_credentials = True ldap_tls_cacertdir = /etc/openldap/certs ldap_tls_reqcert = allow
Did you check your Pam config?
On Sat, Sep 14, 2024, 6:42 PM GrahamC gcfedora@crowie.net wrote:
Hi,
I have existing systems that authenticate via LDAP using SSSD andhave recently added a Fedora 40 system, except that it denies login to all of the LDAP users. It can see the users (user and groups owning files are displayed correctly, and the "finger" command finds the users), however for some reason it always fails to authenticate passwords.
The following is from /var/log/secure
Sep 15 11:26:27 ext5 sshd[265914]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.131.55 user=graham Sep 15 11:26:29 ext5 sshd[265914]: Failed password for graham from 192.168.131.55 port 60366 ssh2
The LDAP server is a Fedora 34 but there are many older systems (back to Fedora 19) still authenticating via LDAP. I remember many years ago (I think it was when I was converting from NIS) that I had to change the password format, so maybe I have something old in my setup (passwords appear to be stored as a 52 character encrypted string).
I am looking for some pointers as to where to look for testing and troubleshooting this issue. Are there any tools to test sssd authentication? Or any other information that may help me?
Thank you
/etc/nsswitch contains (on both the working Fedora 34 and the not working Fedora 40 systems)
passwd: sss files systemd shadow: files group: sss files systemd hosts: files myhostname dns services: sss files netgroup: sss files automount: sss files aliases: files ethers: files gshadow: files networks: files dns protocols: files publickey: files rpc: files
/etc/sssd/sssd.conf contains (on both the working Fedora 34 and the not working Fedora 40 systems) - domain name changed.
[sssd] config_file_version = 2 domains = LDAP services = nss, pam
[nss] filter_groups = root filter_users = root
[pam]
[domain/LDAP] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap.mydomain.net ldap_chpass_uri = ldap://ldap.mydomain.net ldap_search_base = dc=mydomain,dc=net ldap_id_use_start_tls = True cache_credentials = True ldap_tls_cacertdir = /etc/openldap/certs ldap_tls_reqcert = allow
-- This email has been checked for viruses by AVG antivirus software. www.avg.com -- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Ah, yes, that was it. Thank you.
On 15/09/2024 12:11, Gregory Carter wrote: Did you check your Pam config?
sssd-users@lists.fedorahosted.org
-
GrahamC -
Gregory Carter