On (28/08/14 16:13), Lukas Slebodnik wrote:
On (28/08/14 16:00), Stefan Schäfer wrote:
Hello list,
this is my first try here.
I've a problem with a sssd_ad setup with a samba 4 ad domain.
Samba domain is created with rfc2307 scheme. sssd works, getent passwd shows users and groups with UNIX-attributes from the ad, but login is impossible.
The setup is based on openSUSE 13.1 with sssd updated to version 1.12 and the sernet samba packages version 4.1.11.
My sssd configuration:
[sssd] services = nss,pam config_file_version = 2 domains = invis-ad.loc debug_level = 5
[nss]
[pam]
[domain/invis-ad.loc] # Using id_provider=ad sets the best defaults on its own id_provider = ad # In sssd, the default access provider is always 'permit'. The AD access # provider by default checks for account expiration access_provider = ad
# Authentication auth_provider = ad
# Uncomment to use POSIX attributes on the server ldap_id_mapping = false
# Uncomment if the client machine hostname doesn't match the computer object on the DC. ad_hostname = invisad.invis-ad.loc
# Uncomment if DNS SRV resolution is not working ad_server = invisad.invis-ad.loc
# Uncomment if the domain section is named differently than your Samba domain ad_domain = invis-ad.loc
# Enumeration is discouraged for performance reasons. enumerate = true
nsswitch.conf .... passwd compat sss group compat sss .....
getent passwd:
.... hbecker:*:10000:10000:Heinz Becker:/home/hbecker:/bin/bash
This is exactly what is stored in the ad.
The pam configuration:
common-auth
#%PAM-1.0 auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth sufficient pam_sss.so use_first_pass
common-account
#%PAM-1.0 account requisite pam_unix.so try_first_pass account sufficient pam_localuser.so account [default=bad success=ok user_unknown=ignore] pam_sss.so
common-password
password requisite pam_cracklib.so password sufficient pam_unix.so use_authtok nullok try_first_pass password sufficient pam_sss.so use_authtok
common-session
#%PAM-1.0 session required pam_limits.so session required pam_unix.so try_first_pass session optional pam_sss.so session optional pam_umask.so session optional pam_systemd.so session optional pam_env.so
Here the logs from different login tries:
- non-existing user
2014-08-28T15:52:29.560167+02:00 invisad login: pam_unix(login:auth): check pass; user unknown 2014-08-28T15:52:29.560490+02:00 invisad login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= 2014-08-28T15:52:29.567475+02:00 invisad login: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=oierwe 2014-08-28T15:52:29.569417+02:00 invisad login: pam_sss(login:auth): received for user oierwe: 10 (User not known to the underlying authentication module) 2014-08-28T15:52:29.572497+02:00 invisad login: pam_unix(login:account): could not identify user (from getpwnam(oierwe)) 2014-08-28T15:52:29.573783+02:00 invisad login: User not known to the underlying authentication module
seems to be ok.
- existing user, wrong password
2014-08-28T15:53:33.988971+02:00 invisad login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=hbecker 2014-08-28T15:53:34.090927+02:00 invisad [sssd[krb5_child[16213]]]: #020 2014-08-28T15:53:34.101970+02:00 invisad login: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=hbecker 2014-08-28T15:53:34.103406+02:00 invisad login: pam_sss(login:auth): received for user hbecker: 17 (Failure setting user credentials) 2014-08-28T15:53:34.104581+02:00 invisad login: pam_sss(login:account): Access denied for user hbecker: 4 (System error)
sssd should not return 4 (System error).
Could you put debug_level = 7 into domain section (in /etc/sssd/sssd.conf) then restart sssd; login as samba user;
You should find a reason in sssd_invis-ad.loc.log file (/var/log/sssd) why sssd returned 4 (System error)
For wrong pasword you should se something similar. [sssd[be[example.test]]] [simple_bind_done] (0x0400): Bind result: Invalid credentials(49), no errmsg set [sssd[be[example.test]]] [ipa_auth_ldap_done] (0x0080): LDAP authentication failed, Password migration not possible. [sssd[be[example.test]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 8, <NULL>) [Success] [sssd[be[example.test]]] [be_pam_handler_callback] (0x0100): Sending result [8][example.test] [sssd[be[example.test]]] [be_pam_handler_callback] (0x0100): Sent result [8][example.test] ^^^ value of pam error code
LS