I have sssd doing authentication through ldap and I actually have a working configuration that uses access_provider=ldap and ldap_access_filter and does the right thing on CentOS 6.4. On another system (CentOS 6.7) the exact same configuration does not work. Access is granted at all times no matter what. In fact, I can put in access_provider=deny, and access is still granted. Is there some dependency that I got right on the first system that is incorrect on this one? I can post logs if needed. Relevant info for non-working system:
OS: CentOS 6.7 x86_64 sssd version: 1.12.4-47 (also tried 1.13.3 built from source) sssd.conf:
[domain/ldap] ldap_schema = rfc2307 ldap_search_base = dc=DOMAIN id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = deny ldap_uri = ldaps://LDAP_SERVER1,ldaps://LDAP_SERVER2 cache_credentials = True ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd] config_file_version = 2 services = nss, pam debug_level = 1 domains = ldap
[nss] debug_level = 1
[pam] debug_level = 1
/etc/nsswitch.conf (relevant bits):
passwd: sss files shadow: sss files group: sss files services: files sss netgroup: files sss ldap
/etc/pam.d/system-auth:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
Thank you for any help,
-JE
On Tue, Mar 15, 2016 at 08:41:40PM -0000, Josh England wrote:
I have sssd doing authentication through ldap and I actually have a working configuration that uses access_provider=ldap and ldap_access_filter and does the right thing on CentOS 6.4. On another system (CentOS 6.7) the exact same configuration does not work. Access is granted at all times no matter what. In fact, I can put in access_provider=deny, and access is still granted. Is there some dependency that I got right on the first system that is incorrect on this one? I can post logs if needed. Relevant info for non-working system:
Hi,
I'm sorry, but I can't reproduce this locally. I tried with git master from source and ipa id_provider together with deny access provider and I was denied access as I would expect.
Also, in the logs I see: (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa.test] to [ipa.test] (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): domain: ipa.test (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): user: admin (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): service: su-l (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): tty: pts/1 (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): ruser: jhrozek (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): rhost: (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): priv: 0 (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): cli_pid: 7244 (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): logon name: not set (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success] (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [be_pam_handler_callback] (0x0100): Sending result [6][ipa.test] (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [be_pam_handler_callback] (0x0100): Sent result [6][ipa.test]
What do you see in /var/log/secure or the journal with your config? Is pam_sss present in the pam stack's account stack?
/var/log/secure has this: Mar 16 15:26:39 gen1 sshd[27930]: pam_unix(sshd:session): session opened for user josh by (uid=0)
It's coming from pam_unix though, not pam_sss. I do have pam_sss in the pam stack (see original post), and the exact same config works on another system. My sssd_pam.log shows this:
(Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_cmd_open_session] (0x0100): entering pam_cmd_open_session (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'joebob' matched without domain, user is joebob (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): user: joebob (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: fadmin1-24.tgsw (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 28220 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): logon name: joebob (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/ldap/joebob] (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_initgr_check_timeout] (0x4000): User [joebob] not found in PAM cache. (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40d1c0:3:joebob@ldap] (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [ldap][3][1][name=joebob] (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x18a4ec0 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40d1c0:3:joebob@ldap] (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x18a4ec0 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x18a5e00 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [joebob@ldap] (Wed Mar 16 15:36:51 2016) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x18b2e30
(Wed Mar 16 15:36:51 2016) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x18a5c20
(Wed Mar 16 15:36:51 2016) [sssd[pam]] [ldb] (0x4000): Running timer event 0x18b2e30 "ltdb_callback"
(Wed Mar 16 15:36:51 2016) [sssd[pam]] [ldb] (0x4000): Destroying timer event 0x18a5c20 "ltdb_timeout"
(Wed Mar 16 15:36:51 2016) [sssd[pam]] [ldb] (0x4000): Ending timer event 0x18b2e30 "ltdb_callback"
(Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [joebob@ldap] (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [joebob] added to PAM initgroup cache (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: ldap (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): user: joebob (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: fadmin1-24.tgsw (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 28220 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): logon name: joebob (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x18ae680 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40d1c0:3:joebob@ldap] (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x18ae680 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x18a5e00 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][ldap] (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 21 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x18b3aa0][19] (Wed Mar 16 15:36:55 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x18a4c70 (Wed Mar 16 15:36:55 2016) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed Mar 16 15:36:55 2016) [sssd[pam]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Mar 16 15:36:55 2016) [sssd[pam]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Mar 16 15:36:55 2016) [sssd[pam]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Mar 16 15:36:56 2016) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [joebob] removed from PAM initgroup cache
-JE
P.S. sorry if this is a repost
On Wed, Mar 16, 2016 at 11:12:24PM -0000, Josh England wrote:
/var/log/secure has this: Mar 16 15:26:39 gen1 sshd[27930]: pam_unix(sshd:session): session opened for user josh by (uid=0)
~~~~~~
Are you testing as root? If yes, then root is normally permitted by the pam_rootok.so module before any other module is contacted..
On Wed, Mar 16, 2016 at 11:12:24PM -0000, Josh England wrote:
/var/log/secure has this: Mar 16 15:26:39 gen1 sshd[27930]: pam_unix(sshd:session): session opened for user josh by (uid=0)
Can you check /etc/ssh/sshd_config if 'UsePAM' is accidentally set to 'no'? It must be 'yes'.
Can you check if there is a user in /etc/passwd called 'joebob' ?
HTH
bye, Sumit
It's coming from pam_unix though, not pam_sss. I do have pam_sss in the pam stack (see original post), and the exact same config works on another system. My sssd_pam.log shows this:
(Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_cmd_open_session] (0x0100): entering pam_cmd_open_session (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'joebob' matched without domain, user is joebob (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): user: joebob (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: fadmin1-24.tgsw (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 28220 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): logon name: joebob (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/ldap/joebob] (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_initgr_check_timeout] (0x4000): User [joebob] not found in PAM cache. (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40d1c0:3:joebob@ldap] (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [ldap][3][1][name=joebob] (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x18a4ec0 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40d1c0:3:joebob@ldap] (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x18a4ec0 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x18a5e00 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [joebob@ldap] (Wed Mar 16 15:36:51 2016) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x18b2e30
(Wed Mar 16 15:36:51 2016) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x18a5c20
(Wed Mar 16 15:36:51 2016) [sssd[pam]] [ldb] (0x4000): Running timer event 0x18b2e30 "ltdb_callback"
(Wed Mar 16 15:36:51 2016) [sssd[pam]] [ldb] (0x4000): Destroying timer event 0x18a5c20 "ltdb_timeout"
(Wed Mar 16 15:36:51 2016) [sssd[pam]] [ldb] (0x4000): Ending timer event 0x18b2e30 "ltdb_callback"
(Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [joebob@ldap] (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [joebob] added to PAM initgroup cache (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: ldap (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): user: joebob (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: fadmin1-24.tgsw (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 28220 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_print_data] (0x0100): logon name: joebob (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x18ae680 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40d1c0:3:joebob@ldap] (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x18ae680 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x18a5e00 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][ldap] (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Wed Mar 16 15:36:51 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 21 (Wed Mar 16 15:36:51 2016) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x18b3aa0][19] (Wed Mar 16 15:36:55 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x18a4c70 (Wed Mar 16 15:36:55 2016) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed Mar 16 15:36:55 2016) [sssd[pam]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Wed Mar 16 15:36:55 2016) [sssd[pam]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Mar 16 15:36:55 2016) [sssd[pam]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Wed Mar 16 15:36:56 2016) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [joebob] removed from PAM initgroup cache
-JE
P.S. sorry if this is a repost _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Thu, Mar 17, 2016 at 05:06:15PM -0000, Josh England wrote:
UsePAM is set to 'yes', and the 'joebob' user does exist in /etc/passwd.
There goes your problem, this user would then be handled by pam_unix, not pam_sss..
If you want to use users in /etc/passwd with LDAP authentication then you need to use id_provider=proxy pointed at files and auth_provider pointed at LDAP.
However, this setup is almost never needed, SSSD cached identity data from LDAP, so you can just rely on the cache..
Thank you. Removing the passwd entries does make things work (using access_provider=ldap and ldap_access_filter) and there is no strong need for those entries to be there anyway.
-JE
sssd-users@lists.fedorahosted.org