Hey Jakub,
So I think I've provided you all the log files I could. The last version (first a connection with the reachable ldap, and then without) can be found at : http://pastebin.com/B3JnMr65
The other logs are empty :
# ls -lrt /var/log/sssd/ total 304 -rw------- 1 root root 0 Mar 17 19:16 sssd_pam.log -rw------- 1 root root 0 Mar 17 19:16 sssd_nss.log -rw------- 1 root root 0 Mar 17 19:16 sssd_autofs.log -rw------- 1 root root 0 Mar 17 19:16 sssd.log -rw------- 1 root root 0 Mar 17 19:16 ldap_child.log -rw------- 1 root root 306912 Mar 17 19:17 sssd_default.log
However I found other logs :
Mar 17 19:22:26 cscetbon-vdi mysqld: pam_sss(serverdb:auth): authentication success; logname= uid=64259 euid=64259 tty= ruser= rhost= user=myuser <==== ldap accessible
Mar 17 19:22:49 cscetbon-vdi mysqld: pam_sss(serverdb:auth): authentication success; logname= uid=64259 euid=64259 tty= ruser= rhost= user= myuser <== no ldap Mar 17 19:22:54 cscetbon-vdi mysqld: nss_ldap: could not search LDAP server - Server is unavailable Mar 17 19:22:55 cscetbon-vdi unix_chkpwd: nss_ldap: could not connect to any LDAP server as uid=pamldap,ou=Auth,dc=fti,dc=net - Can't contact LDAP server Mar 17 19:22:55 cscetbon-vdi unix_chkpwd: nss_ldap: failed to bind to LDAP server ldaps://ldap.multis/: Can't contact LDAP server Mar 17 19:22:55 cscetbon-vdi unix_chkpwd: nss_ldap: could not search LDAP server - Server is unavailable Mar 17 19:22:55 cscetbon-vdi unix_chkpwd[3173]: could not obtain user info (myuser) Mar 17 19:25:01 cscetbon-vdi CRON[3652]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 17 19:25:01 cscetbon-vdi CRON[3652]: pam_unix(cron:session): session closed for user root
I'm wondering if another pam file is not included even if I thought it's not because of this unix_chkpwd issue
On Mar 17, 2016, at 13:13, Jakub Hrozek jhrozek@redhat.com wrote:
On Wed, Mar 16, 2016 at 10:52:22PM -0400, Cyril Scetbon wrote:
Any other idea ? Here is the information I can provide you :
# /etc/nsswitch.conf
passwd: compat sss ldap group: compat sss ldap shadow: compat ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis sss sudoers: files sss
my pam file
# here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_sss.so # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so
/etc/sssd/sssd.conf
[domain/default] debug_level=0xFFF0 autofs_provider = ldap ldap_default_bind_dn = uid=myuid,ou=Auth,dc=mydc1,dc=mydc2 ldap_default_authtok_type = password ldap_default_authtok = mysecret ldap_schema = rfc2307bis krb5_realm = # ldap_search_base = dc=mydc1,dc=mydc2 id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://myldap ldap_id_use_start_tls = True cache_credentials = True ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt ldap_tls_reqcert=demand [sssd] services = nss, pam, autofs config_file_version = 2
domains = default [pam]
[nss]
[sudo]
[autofs]
[ssh]
[pac]
As said earlier, I tried with those 2 commands to simulate the lost of the ldap server :
iptables -A OUTPUT -p tcp --dport 636 -j REJECT iptables -A OUTPUT -p tcp --dport 636 -j DROP
Is it possible to see full logs from all responders?
By the way I suspect the reason Lukas asked about TLS vs LDAPs is https://fedorahosted.org/sssd/ticket/2878 https://fedorahosted.org/sssd/ticket/2878
(I know this doesn't help your problem, but I use cached credentials on my laptop as the only authentication source, so I know they work OK..) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org mailto:sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org