I'm using sssd 1.13.3 and try to configure sssd for nss and pam both against our openldap server. Nss seems to work but pam doesn't.
# getent passwd timap timap:*:41848:400:Test Imap:/users/org1/timap:/usr/local/bin/bash
but login of the timap user fails:
syslog output: login[2315]: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=timap login[2315]: pam_sss(login:auth): received for user timap: 7 (Authentication failure) login[2315]: FAILED LOGIN 1 FROM tty1 FOR timap, Authentication failure
Maybe we have an unusal ldap server setup. There is a privileged DN cn=roadmin,ou=people,ou=admin,dc=myorg,dc=de to access all posixAccount objects.
a user Account has this attributes:
# ldapsearch -x -w secret -D "cn=roadmin,ou=people,ou=admin,dc=myorg,dc=de" '(&(uid=timap)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))' # extended LDIF # # LDAPv3 # base <ou=people,dc=myorg,dc=de> (default) with scope subtree # filter: (&(uid=timap)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0)))) # requesting: ALL #
# timap, people, myorg.de dn: uid=timap,ou=people,dc=myorg,dc=de userPassword:: e0NSWVBUfSQ2JDV5N1B5RC84N3pRY2VmZlgkMk1LQjAxc1pFNzBzYXFsOUhZNWo 3WFhJSVZXOWMuTHdOZEZpMzV5UVpzYlN0ZGpLVDVhdVdKeWRlcVdBSDMySmhwanZMNGJkZnVhYXMy SVFxVG41Yi8= cn: timap gecos: Test Imap gidNumber: 400 homeDirectory: /users/org1/timap loginShell: /usr/local/bin/bash objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount uid: timap uidNumber: 41848
My configuration is
--------/etc/sssd/sssd.conf------------------- [sssd] config_file_version = 2 services = nss,pam domains = LDAP
[nss] filter_groups = root filter_users = root
[pam] pam_verbosity = 3
[domain/LDAP] debug_level = 0xFFF0 ldap_uri = ldaps://ldapserver.myorg.de ldap_search_base = dc=myorg,dc=de ldap_schema = rfc2307 id_provider = ldap ldap_id_use_start_tls = True enumerate = False cache_credentials = True chpass_provider = ldap auth_provider = ldap ldap_tls_cacertdir = /var/ldap ldap_tls_cacert = /var/ldap/certdb.pem ldap_tls_reqcert = demand ldap_default_bind_dn = cn=roadmin,ou=people,ou=admin,dc=myorg,dc=de ldap_default_authtok_type = password ldap_default_authtok = secret ---------------------------------------
--------/etc/nsswitch.conf------------- passwd: files sss group: files sss shadow: files sss
hosts: files dns ---------------------------------------
Excerpt of sssd_LDAP.log: [sssd[be[LDAP]]] [simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set [sssd[be[LDAP]]] [simple_bind_send] (0x0100): Executing simple bind as: cn=roadmin,ou=people,ou=admin,dc=myorg,dc=de [sssd[be[LDAP]]] [set_server_common_status] (0x0100): Marking server 'ldapserver.myorg.de' as 'working' [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=timap] [sssd[be[LDAP]]] [be_req_set_domain] (0x0400): Changing request domain from [LDAP] to [LDAP] [sssd[be[LDAP]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection [sssd[be[LDAP]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=myorg,dc=de] [sssd[be[LDAP]]] [sdap_print_server] (0x2000): Searching xxx.xxx.xxx.xxx [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=timap)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=myorg,dc=de]. [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] [sssd[be[LDAP]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=timap,ou=people,dc=myorg,dc=de]. [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPassword] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [gecos] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [homeDirectory] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [loginShell] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [uid] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] [sssd[be[LDAP]]] [sdap_save_user] (0x2000): Adding originalDN [uid=timap,ou=people,dc=myorg,dc=de] to attributes of [timap]. [sssd[be[LDAP]]] [sdap_save_user] (0x0400): Storing info for user timap
So far this looks good. nss is working, but the pam request not! Pam is using an additional simple_bind as uid=timap,ou=people,dc=myorg,dc=de instead of directly authenticating against the hash of the timap userPassword attribute we already got from the ldap request above
[sssd[be[LDAP]]] [be_req_set_domain] (0x0400): Changing request domain from [LDAP] to [LDAP] [sssd[be[LDAP]]] [be_pam_handler] (0x0100): Got request with the following data [sssd[be[LDAP]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE [sssd[be[LDAP]]] [pam_print_data] (0x0100): domain: LDAP [sssd[be[LDAP]]] [pam_print_data] (0x0100): user: timap [sssd[be[LDAP]]] [pam_print_data] (0x0100): service: login [sssd[be[LDAP]]] [pam_print_data] (0x0100): tty: tty1 [sssd[be[LDAP]]] [pam_print_data] (0x0100): ruser: [sssd[be[LDAP]]] [pam_print_data] (0x0100): rhost: [sssd[be[LDAP]]] [pam_print_data] (0x0100): authtok type: 1 [sssd[be[LDAP]]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[be[LDAP]]] [pam_print_data] (0x0100): priv: 1 [sssd[be[LDAP]]] [pam_print_data] (0x0100): cli_pid: 1863 [sssd[be[LDAP]]] [pam_print_data] (0x0100): logon name: not set [sssd[be[LDAP]]] [simple_bind_send] (0x0100): Executing simple bind as: uid=timap,ou=people,dc=myorg,dc=de [sssd[be[LDAP]]] [simple_bind_send] (0x2000): ldap simple bind sent, msgid = 1 [sssd[be[LDAP]]] [simple_bind_done] (0x0400): Bind result: Invalid credentials(49), no errmsg set
Does anyone have an idea howto configure sssd to authenticate against hash in the userPassword attribute of the timap account
The complete log is attached
Bing
On Fri, Sep 16, 2016 at 04:01:09PM +0200, Bernd Leibing wrote:
I'm using sssd 1.13.3 and try to configure sssd for nss and pam both against our openldap server. Nss seems to work but pam doesn't.
# getent passwd timap timap:*:41848:400:Test Imap:/users/org1/timap:/usr/local/bin/bash
but login of the timap user fails:
syslog output: login[2315]: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=timap login[2315]: pam_sss(login:auth): received for user timap: 7 (Authentication failure) login[2315]: FAILED LOGIN 1 FROM tty1 FOR timap, Authentication failure
Maybe we have an unusal ldap server setup. There is a privileged DN cn=roadmin,ou=people,ou=admin,dc=myorg,dc=de to access all posixAccount objects.
a user Account has this attributes:
# ldapsearch -x -w secret -D "cn=roadmin,ou=people,ou=admin,dc=myorg,dc=de" '(&(uid=timap)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))' # extended LDIF # # LDAPv3 # base <ou=people,dc=myorg,dc=de> (default) with scope subtree # filter: (&(uid=timap)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0)))) # requesting: ALL #
# timap, people, myorg.de dn: uid=timap,ou=people,dc=myorg,dc=de userPassword:: e0NSWVBUfSQ2JDV5N1B5RC84N3pRY2VmZlgkMk1LQjAxc1pFNzBzYXFsOUhZNWo 3WFhJSVZXOWMuTHdOZEZpMzV5UVpzYlN0ZGpLVDVhdVdKeWRlcVdBSDMySmhwanZMNGJkZnVhYXMy SVFxVG41Yi8= cn: timap gecos: Test Imap gidNumber: 400 homeDirectory: /users/org1/timap loginShell: /usr/local/bin/bash objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount uid: timap uidNumber: 41848
My configuration is
--------/etc/sssd/sssd.conf------------------- [sssd] config_file_version = 2 services = nss,pam domains = LDAP
[nss] filter_groups = root filter_users = root
[pam] pam_verbosity = 3
[domain/LDAP] debug_level = 0xFFF0 ldap_uri = ldaps://ldapserver.myorg.de ldap_search_base = dc=myorg,dc=de ldap_schema = rfc2307 id_provider = ldap ldap_id_use_start_tls = True enumerate = False cache_credentials = True chpass_provider = ldap auth_provider = ldap ldap_tls_cacertdir = /var/ldap ldap_tls_cacert = /var/ldap/certdb.pem ldap_tls_reqcert = demand ldap_default_bind_dn = cn=roadmin,ou=people,ou=admin,dc=myorg,dc=de ldap_default_authtok_type = password ldap_default_authtok = secret
--------/etc/nsswitch.conf------------- passwd: files sss group: files sss shadow: files sss
hosts: files dns
Excerpt of sssd_LDAP.log: [sssd[be[LDAP]]] [simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set [sssd[be[LDAP]]] [simple_bind_send] (0x0100): Executing simple bind as: cn=roadmin,ou=people,ou=admin,dc=myorg,dc=de [sssd[be[LDAP]]] [set_server_common_status] (0x0100): Marking server 'ldapserver.myorg.de' as 'working' [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=timap] [sssd[be[LDAP]]] [be_req_set_domain] (0x0400): Changing request domain from [LDAP] to [LDAP] [sssd[be[LDAP]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection [sssd[be[LDAP]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=myorg,dc=de] [sssd[be[LDAP]]] [sdap_print_server] (0x2000): Searching xxx.xxx.xxx.xxx [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=timap)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=myorg,dc=de]. [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] [sssd[be[LDAP]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=timap,ou=people,dc=myorg,dc=de]. [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPassword] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [gecos] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [homeDirectory] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [loginShell] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [uid] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] [sssd[be[LDAP]]] [sdap_save_user] (0x2000): Adding originalDN [uid=timap,ou=people,dc=myorg,dc=de] to attributes of [timap]. [sssd[be[LDAP]]] [sdap_save_user] (0x0400): Storing info for user timap
So far this looks good. nss is working, but the pam request not! Pam is using an additional simple_bind as uid=timap,ou=people,dc=myorg,dc=de instead of directly authenticating against the hash of the timap userPassword attribute we already got from the ldap request above
binding as 'self' is the only supported LDP authentication method in SSSD, sorry.
sssd-users@lists.fedorahosted.org
-
Bernd Leibing -
Jakub Hrozek