On Wed, Mar 16, 2016 at 10:52:22PM -0400, Cyril Scetbon wrote:
Any other idea ? Here is the information I can provide you :
# /etc/nsswitch.conf
passwd: compat sss ldap group: compat sss ldap shadow: compat ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis sss sudoers: files sss
my pam file
# here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_sss.so # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so
/etc/sssd/sssd.conf
[domain/default] debug_level=0xFFF0 autofs_provider = ldap ldap_default_bind_dn = uid=myuid,ou=Auth,dc=mydc1,dc=mydc2 ldap_default_authtok_type = password ldap_default_authtok = mysecret ldap_schema = rfc2307bis krb5_realm = # ldap_search_base = dc=mydc1,dc=mydc2 id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://myldap ldap_id_use_start_tls = True cache_credentials = True ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt ldap_tls_reqcert=demand [sssd] services = nss, pam, autofs config_file_version = 2
domains = default [pam]
[nss]
[sudo]
[autofs]
[ssh]
[pac]
As said earlier, I tried with those 2 commands to simulate the lost of the ldap server :
iptables -A OUTPUT -p tcp --dport 636 -j REJECT iptables -A OUTPUT -p tcp --dport 636 -j DROP
Is it possible to see full logs from all responders?
By the way I suspect the reason Lukas asked about TLS vs LDAPs is https://fedorahosted.org/sssd/ticket/2878
(I know this doesn't help your problem, but I use cached credentials on my laptop as the only authentication source, so I know they work OK..)