After trying for several days, I want to ask if this is even possible:
I am running CentOS 6.4 and I have sssd-1.9.2-82 installed. I would like to
log into my machine by querying an OpenLDAP server running else where. The
big difference that I have from the normal sssd setup, is I only want to
use the local Unix accounts (/etc/passwd and /etc/shadow) if my LDAP server
is offline.
So how do I do this? Should I be able to do all of this through pam? Either
way, the issue I am seeing with sssd is the return value of pam when sssd
can't connect to my ldap server. It always returns 'user_unknown' instead
of 'authinfo_unavail' as I would expect. Am I configuring something
incorrectly?
/etc/pam.d/password-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [success=done new_authtok_reqd=done authinfo_unavail=ignore
default=die] pam_sss.so forward_pass
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
/etc/sssd/sssd.conf:
[domain/default]
debug_level = 9
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_access_filter = memberOf=cn=group,ou=Roles,dc=example,dc=com
ldap_group_member = memberUid
ldap_group_search_base = ou=Roles,dc=example,dc=com
chpass_provider = ldap
ldap_uri = ldap://test-server/
[sssd]
debug_level = 9
services = pam
config_file_version = 2
domains = default
[nss]
debug_level = 9
[pam]
debug_level = 9
[sudo]
debug_level = 9
[autofs]
debug_level = 9
[ssh]
debug_level = 9
[pac]
debug_level = 9
/var/log/sssd/sssd_default.log:
(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [sbus_message_handler]
(0x4000): Received SBUS method [getAccountInfo]
(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [be_get_account_info]
(0x0100): Got request for [3][1][name=user]
(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [ldb] (0x4000): Added timed
event "ltdb_callback": 0x196b8f0
(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [ldb] (0x4000): Added timed
event "ltdb_timeout": 0x196c2b0
(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [ldb] (0x4000): Destroying
timer event 0x196c2b0 "ltdb_timeout"
(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [ldb] (0x4000): Ending timer
event 0x196b8f0 "ltdb_callback"
(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [acctinfo_callback]
(0x0100): Request processed. Returned 1,11,Offline
(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [sbus_dispatch] (0x4000):
dbus conn: 1964B00
(Tue Mar 18 19:09:52 2014) [sssd[be[default]]] [sbus_dispatch] (0x4000):
Dispatching.
/var/log/sssd/sssd_pam.log:
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [accept_fd_handler] (0x0400): Client
connected to privileged pipe!
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x6cc030][19]
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_cmd_get_version] (0x0200):
Received client version [3].
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_cmd_get_version] (0x0200):
Offered version [3].
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x6cc030][19]
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x6cc030][19]
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_cmd_authenticate] (0x0100):
entering pam_cmd_authenticate
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 'user' matched without domain, user is user
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): domain:
not set
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): user: user
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): service:
sshd
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): rhost:
test-server
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 1
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): authtok
size: 8
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok size: 0
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
10665
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/USER/default/user]
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x41b300:3:user@default]
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_dp_get_account_msg] (0x0400):
Creating request for [default][3][1][name=user]
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x6cdf20
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x41b300:3:user@default]
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sbus_remove_timeout] (0x2000):
0x6cdf20
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn:
6C8DE0
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sbus_dispatch] (0x4000):
Dispatching.
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got
reply from Data Provider - DP error code: 1 errno: 11 error message: Offline
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_check_user_dp_callback]
(0x0040): Unable to get information from Data Provider
Error: 1, 11, Offline
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_check_user_search] (0x0100):
Requesting info for [user@default]
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x6d7360
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x6d7480
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [ldb] (0x4000): Destroying timer
event 0x6d7480 "ltdb_timeout"
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [ldb] (0x4000): Ending timer event
0x6d7360 "ltdb_callback"
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_check_user_search] (0x0080): No
matching domain found for [user], fail!
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [10].
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [pam_reply] (0x0100): blen: 8
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x41b300:3:user@default]
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x6cc030][19]
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x6cc030][19]
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [client_recv] (0x0200): Client
disconnected!
(Tue Mar 18 19:09:52 2014) [sssd[pam]] [client_destructor] (0x2000):
Terminated client [0x6cc030][19]
I tried to provide only the portions of files that I found relevant. I can
provide more upon request.
Thanks,
Kevin
Show replies by date