sssd login fails for some user when point to ldaps://127.0.0.1
I checked the accounts with ldapsearch -D and there is no issue
ldapsearch -LLL -x -W -D ou=People,dc=example.dc=net -H ldaps://127.0.0.1 uid=johnny Enter LDAP Password: (pass) gets the ldap entry fine
When I point sssd to ldaps://corporate.ip all account login works fine
Log shows .. (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=johnny@ldap] (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP Request [Initgroups #27]: New request. Flags [0x0001]. (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Initgroups #27]: Receiving request data. (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [dp_req_reply_gen_error] (0x0080): DP Request [Initgroups #27]: Finished. Backend is currently offline. (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::LDAP:name=johnny@ldap] from reply table (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): DP Request [Initgroups #27]: Request removed. (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [dp_pam_handler] (0x0100): Got request with the following data (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [pam_print_data] (0x0100): domain: LDAP (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [pam_print_data] (0x0100): user: johnny@ldap (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [pam_print_data] (0x0100): service: sshd (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [pam_print_data] (0x0100): tty: ssh (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [pam_print_data] (0x0100): ruser: (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [pam_print_data] (0x0100): rhost: localhost (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [pam_print_data] (0x0100): authtok type: 0 (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [pam_print_data] (0x0100): priv: 1 (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [pam_print_data] (0x0100): cli_pid: 16946 (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [pam_print_data] (0x0100): logon name: not set (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP Request [PAM Account #28]: New request. Flags [0000]. (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [sdap_access_send] (0x0400): Performing access check for user [johnny@ldap] (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [johnny@ldap] (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [sdap_access_decide_offline] (0x0400):* Access denied by cached credentials* (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [sdap_access_done] (0x0400): *Access was denied*. (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP Request [PAM Account #28]: Request handler finished [0]: Success (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [PAM Account #28]: Receiving request data. (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): DP Request [PAM Account #28]: Request removed. (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [dp_method_enabled] (0x0400): Target selinux is not configured (Tue Jun 26 18:48:10 2018) [sssd[be[LDAP]]] [dp_pam_reply] (0x1000): DP Request [PAM Account #28]: Sending result [6][LDAP]
Jun 26 18:48:10 host sshd[16946]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=blodgen Jun 26 18:48:10 host sshd[16946]: pam_sss(sshd:account): Access denied for user blodgen: 6 (Permission denied) Jun 26 18:48:10 host sshd[16938]: error: PAM: User account has expired for blodgen from localhost
Here is the sssd config and using sssd version 1.16
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss,pam,sudo domains = LDAP homedir_substring = undef
[nss] reconnection_retries = 3 filter_groups = root,wheel filter_users = root
[pam] reconnection_retries = 3 offline_credentials_expiration = 0
[sudo]
[domain/LDAP] debug_level = 7 chpass_provider = ldap access_provider = ldap id_provider = ldap auth_provider = ldap ldap_schema = rfc2307bis ldap_id_use_start_tls = true ldap_search_base = ou=People,dc=example,dc=net #ldap_uri = ldaps://192.168.1.100:1636 ldap_uri = ldaps://127.0.0.1 ldap_access_order = filter ldap_access_filter = objectClass=mnetperson ldap_user_uid_number = mnetid ldap_user_gid_number = mnetid ldap_group_gid_number = mnetid ldap_group_object_class = inetOrgPerson ldap_user_object_class = mnetPerson ldap_user_fullname = uid ldap_group_name = uid ldap_network_timeout = 3 ldap_tls_reqcert = allow ldap_tls_cacert = /etc/ssl/certs/host.cer ldap_chpass_update_last_change = true ldap_pwd_policy = none ldap_account_expire_policy = none ldap_default_authtok_type = password ldap_default_bind_dn = uid=binduid,ou=People,dc=example,dc=net ldap_default_authtok = secret enumerate = false
sudo_provider = ldap ldap_sudo_search_base = ou=People,dc=example,dc=net ldap_sudorule_object_class = mnetperson
cache_credentials = true default_shell = /bin/bash fallback_homedir = /home/%u