I'm using sssd 1.11.7 in a jail on freebsd 10.2. and seeing an odd failure.
sssd is configured for nss, and pam both against an openldap server. Nss seems to work as
evidenced by various getent calls.
When I ssh to the jail as an ldap user the authentication fails with return code 9:
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: default
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): user: myuser
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: not set
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost:
host.edu
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 65873
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req
returned 0
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received:
[9][default]
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result
[9].
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 24
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
When I login to the jail as an un-privleged user and su to the ldap user authentication
succeeds:
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): user: myser
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: anotheruser
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 67944
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info
for [myuser@default]
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with
the following data:
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: default
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): user: myuser
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: anotheruser
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 67944
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req
returned 0
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received:
[0][default]
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result
[0].
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 24
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering
pam_cmd_setcred
Even weirder is the fact that having once used su to authenticate the ldap user,
subsequent attempts to ssh as the ldap user succeed!
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client
version [3].
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version
[3].
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering
pam_cmd_authenticate
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'myuser' matched without domain, user is myuser
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): user: myuser
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: not set
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost:
host.edu
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 78882
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info
for [myuser@default]
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with
the following data:
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: default
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): user: myuser
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: not set
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost:
host.edu
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 78882
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req
returned 0
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received:
[0][default]
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result
[0].
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 24
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client
version [3].
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version
[3].
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering
pam_cmd_setcred
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'myuser' matched without domain, user is myuser
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
Suggestions for next steps are welcome.
Thanks