I'm setup in Centos 6.6 with sssd 1.11.6 using openldap and openldap proxy to Active Directory.
I have working getent passwd <username> and getent group <group name>, id <username> etc. not a problem.
So, trying to get ssh to work as well.
*** I keep running in the issue:
"PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)"
and unclear of how to resolve this!
I've listed below:
*sssd.conf *password-auth-ac *sshd *sshd log
Any help/suggestions is GREATLY appreciated!!!
Sterling
sssd.conf:
[root@ldap sssd]# cat sssd.conf [domain/default]
ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://ldap.va.example.com ldap_tls_cacertdir = /etc/pki/tls/certs
[sssd] config_file_version = 2 services = nss, pam, sudo domains = LDAP
[nss] filter_users = root filter_groups = root
[pam]
[sudo]
[domain/LDAP] access_provider = ldap auth_provider = ldap chpass_provider = ldap id_provider = ldap sudo_provider = ldap debug_level = 9 cache_credentials = true enumerate = false
ldap_uri = ldaps://ad-va.ad.example.com ldap_default_bind_dn = cn=accessacct,ou=serviceaccounts,ou=example,dc=ad,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = <password here!>
ldap_access_filter = ou=example,dc=ad,dc=example,dc=com ldap_search_base = dc=ad,dc=example,dc=com
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName ldap_user_fullname = displayName ldap_user_name = sAMAccountName ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_uid_number = uidNumber ldap_user_objectsid = objectSid
ldap_group_object_class = group ldap_group_objectsid = objectSid ldap_group_member = member
ldap_sudo_search_base = ou=sudoers,dc=ad,dc=example,dc=com
ldap_tls_cacert = /etc/pki/tls/certs/certificatename.crt
[root@ldap pam.d]# cat password-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so umask=0022 skel=/etc/skel/ session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_sss.so session required pam_unix.so
[root@ldap pam.d]# cat sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth session required pam_selinux.so close session required pam_loginuid.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth
Here is my log:
[root@ldap ~]# /usr/sbin/sshd -D -ddd debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 602 debug2: parse_server_config: config /etc/ssh/sshd_config len 602 debug3: /etc/ssh/sshd_config:21 setting Protocol 2 debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTHPRIV debug3: /etc/ssh/sshd_config:43 setting PermitRootLogin without-password debug3: /etc/ssh/sshd_config:65 setting PasswordAuthentication yes debug3: /etc/ssh/sshd_config:71 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config:74 setting KerberosAuthentication no debug3: /etc/ssh/sshd_config:81 setting GSSAPIAuthentication no debug3: /etc/ssh/sshd_config:98 setting UsePAM yes debug3: /etc/ssh/sshd_config:101 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAG debug3: /etc/ssh/sshd_config:102 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT debug3: /etc/ssh/sshd_config:103 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE debug3: /etc/ssh/sshd_config:104 setting AcceptEnv XMODIFIERS debug3: /etc/ssh/sshd_config:109 setting X11Forwarding no debug3: /etc/ssh/sshd_config:133 setting Subsystem sftp /usr/libexec/openssh/sftp-server debug3: /etc/ssh/sshd_config:140 setting UseDNS no debug1: sshd version OpenSSH_5.3p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-D' debug1: rexec_argv[2]='-ddd' debug3: oom_adjust_setup Set /proc/self/oom_score_adj from 0 to -1000 debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 22 on ::. Server listening on :: port 22. debug3: fd 5 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 602 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 10.41.0.145 port 42145 debug1: Client protocol version 2.0; client software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 3 setting O_NONBLOCK debug2: Network child is on pid 28180 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 74:74 debug1: permanently_set_uid: 74/74 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 840 bytes for a total of 861 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-gr debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-gr debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug3: mm_request_send entering: type 78 debug3: monitor_read: checking request 78 debug3: mm_request_send entering: type 79 debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 79 debug3: mm_request_receive entering debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug3: mm_request_send entering: type 78 debug3: monitor_read: checking request 78 debug3: mm_request_send entering: type 79 debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 79 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 1024 8192 debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug3: Wrote 152 bytes for a total of 1013 debug2: dh_gen_key: priv key bits set: 137/256 debug2: bits set: 484/1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 518/1024 debug3: mm_key_sign entering debug3: mm_request_send entering: type 5 debug3: monitor_read: checking request 5 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x7f74f925a0d0(271) debug3: mm_request_send entering: type 6 debug2: monitor_read: 5 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 6 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 720 bytes for a total of 1733 debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug3: Wrote 48 bytes for a total of 1781 debug1: userauth-request for user abrown service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 7 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 8 debug3: mm_request_receive entering debug3: monitor_read: checking request 7 debug3: mm_answer_pwnamallow debug2: parse_server_config: config reprocess config len 602 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 8 debug2: monitor_read: 7 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for abrown debug3: mm_start_pam entering debug3: mm_request_send entering: type 50 debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug3: mm_inform_authrole entering debug3: mm_request_send entering: type 4 debug2: input_userauth_request: try method none debug3: Wrote 64 bytes for a total of 1845 debug3: monitor_read: checking request 50 debug1: PAM: initializing for "abrown" debug1: PAM: setting PAM_RHOST to "10.41.0.145" debug1: PAM: setting PAM_TTY to "ssh" debug2: monitor_read: 50 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_authrole: role= debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug1: userauth-request for user abrown service ssh-connection method password debug1: attempt 1 failures 0 debug2: input_userauth_request: try method password debug3: mm_auth_password entering debug3: mm_request_send entering: type 11 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 12 debug3: mm_request_receive entering debug3: monitor_read: checking request 11 debug3: PAM: sshpam_passwd_conv called with 1 messages debug1: PAM: password authentication accepted for abrown debug3: mm_answer_authpassword: sending result 1 debug3: mm_request_send entering: type 12 debug3: mm_request_receive_expect entering: type 51 debug3: mm_request_receive entering debug3: mm_auth_password: user authenticated debug3: mm_do_pam_account entering debug3: mm_request_send entering: type 51 debug3: mm_request_receive_expect entering: type 52 debug3: mm_request_receive entering debug1: do_pam_account: called debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied) debug3: mm_request_send entering: type 52 Failed password for abrown from 10.41.0.145 port 42145 ssh2 debug3: mm_do_pam_account returning 0 Access denied for user abrown by PAM account configuration debug1: do_cleanup debug3: PAM: sshpam_thread_cleanup entering debug3: mm_request_send entering: type 80 debug3: mm_request_receive_expect entering: type 81 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: monitor_read: checking request 80 debug3: mm_request_send entering: type 81 debug3: mm_request_receive entering debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering
On Tue, Apr 28, 2015 at 03:11:09PM +0000, Sterling Sahaydak wrote:
I'm setup in Centos 6.6 with sssd 1.11.6 using openldap and openldap proxy to Active Directory.
I have working getent passwd <username> and getent group <group name>, id <username> etc. not a problem.
So, trying to get ssh to work as well.
*** I keep running in the issue:
"PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)"
and unclear of how to resolve this!
I've listed below:
*sssd.conf *password-auth-ac *sshd *sshd log
Please follow https://fedorahosted.org/sssd/wiki/Troubleshooting in order to check the sssd domain logs.
On Tue, Apr 28, 2015 at 03:11:09PM +0000, Sterling Sahaydak wrote:
I'm setup in Centos 6.6 with sssd 1.11.6 using openldap and openldap proxy to Active Directory.
I have working getent passwd <username> and getent group <group name>, id <username> etc. not a problem.
So, trying to get ssh to work as well.
*** I keep running in the issue:
"PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)"
and unclear of how to resolve this!
I've listed below:
*sssd.conf *password-auth-ac *sshd *sshd log
Any help/suggestions is GREATLY appreciated!!!
Sterling
sssd.conf:
[root@ldap sssd]# cat sssd.conf [domain/default]
ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://ldap.va.example.com ldap_tls_cacertdir = /etc/pki/tls/certs
[sssd] config_file_version = 2 services = nss, pam, sudo domains = LDAP
[nss] filter_users = root filter_groups = root
[pam]
[sudo]
[domain/LDAP] access_provider = ldap auth_provider = ldap chpass_provider = ldap id_provider = ldap sudo_provider = ldap debug_level = 9 cache_credentials = true enumerate = false
ldap_uri = ldaps://ad-va.ad.example.com ldap_default_bind_dn = cn=accessacct,ou=serviceaccounts,ou=example,dc=ad,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = <password here!>
ldap_access_filter = ou=example,dc=ad,dc=example,dc=com
Please check the ldap_access_filter entry in the sssd-ldap man page. The value of the option it put into a LDAP search filter, what you have given is a LDAP DN. I would suggest to try with
access_provider = permit
first, which always allows access and then try to restrict access with a different access provider. Besides the LDAP access provider you might want to consider the simple access provider for a start as well.
That said, log files as Jakub already mentioned, are always useful to identify your issue even more closely.
HTH
bye, Sumit
ldap_search_base = dc=ad,dc=example,dc=com
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName ldap_user_fullname = displayName ldap_user_name = sAMAccountName ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_uid_number = uidNumber ldap_user_objectsid = objectSid
ldap_group_object_class = group ldap_group_objectsid = objectSid ldap_group_member = member
ldap_sudo_search_base = ou=sudoers,dc=ad,dc=example,dc=com
ldap_tls_cacert = /etc/pki/tls/certs/certificatename.crt
[root@ldap pam.d]# cat password-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so umask=0022 skel=/etc/skel/ session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_sss.so session required pam_unix.so
[root@ldap pam.d]# cat sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth session required pam_selinux.so close session required pam_loginuid.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth
Here is my log:
[root@ldap ~]# /usr/sbin/sshd -D -ddd debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 602 debug2: parse_server_config: config /etc/ssh/sshd_config len 602 debug3: /etc/ssh/sshd_config:21 setting Protocol 2 debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTHPRIV debug3: /etc/ssh/sshd_config:43 setting PermitRootLogin without-password debug3: /etc/ssh/sshd_config:65 setting PasswordAuthentication yes debug3: /etc/ssh/sshd_config:71 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config:74 setting KerberosAuthentication no debug3: /etc/ssh/sshd_config:81 setting GSSAPIAuthentication no debug3: /etc/ssh/sshd_config:98 setting UsePAM yes debug3: /etc/ssh/sshd_config:101 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAG debug3: /etc/ssh/sshd_config:102 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT debug3: /etc/ssh/sshd_config:103 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE debug3: /etc/ssh/sshd_config:104 setting AcceptEnv XMODIFIERS debug3: /etc/ssh/sshd_config:109 setting X11Forwarding no debug3: /etc/ssh/sshd_config:133 setting Subsystem sftp /usr/libexec/openssh/sftp-server debug3: /etc/ssh/sshd_config:140 setting UseDNS no debug1: sshd version OpenSSH_5.3p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-D' debug1: rexec_argv[2]='-ddd' debug3: oom_adjust_setup Set /proc/self/oom_score_adj from 0 to -1000 debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 22 on ::. Server listening on :: port 22. debug3: fd 5 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 602 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 10.41.0.145 port 42145 debug1: Client protocol version 2.0; client software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 3 setting O_NONBLOCK debug2: Network child is on pid 28180 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 74:74 debug1: permanently_set_uid: 74/74 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 840 bytes for a total of 861 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-gr debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-gr debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug3: mm_request_send entering: type 78 debug3: monitor_read: checking request 78 debug3: mm_request_send entering: type 79 debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 79 debug3: mm_request_receive entering debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug3: mm_request_send entering: type 78 debug3: monitor_read: checking request 78 debug3: mm_request_send entering: type 79 debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 79 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 1024 8192 debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug3: Wrote 152 bytes for a total of 1013 debug2: dh_gen_key: priv key bits set: 137/256 debug2: bits set: 484/1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 518/1024 debug3: mm_key_sign entering debug3: mm_request_send entering: type 5 debug3: monitor_read: checking request 5 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x7f74f925a0d0(271) debug3: mm_request_send entering: type 6 debug2: monitor_read: 5 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 6 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 720 bytes for a total of 1733 debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug3: Wrote 48 bytes for a total of 1781 debug1: userauth-request for user abrown service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 7 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 8 debug3: mm_request_receive entering debug3: monitor_read: checking request 7 debug3: mm_answer_pwnamallow debug2: parse_server_config: config reprocess config len 602 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 8 debug2: monitor_read: 7 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for abrown debug3: mm_start_pam entering debug3: mm_request_send entering: type 50 debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug3: mm_inform_authrole entering debug3: mm_request_send entering: type 4 debug2: input_userauth_request: try method none debug3: Wrote 64 bytes for a total of 1845 debug3: monitor_read: checking request 50 debug1: PAM: initializing for "abrown" debug1: PAM: setting PAM_RHOST to "10.41.0.145" debug1: PAM: setting PAM_TTY to "ssh" debug2: monitor_read: 50 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_authrole: role= debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug1: userauth-request for user abrown service ssh-connection method password debug1: attempt 1 failures 0 debug2: input_userauth_request: try method password debug3: mm_auth_password entering debug3: mm_request_send entering: type 11 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 12 debug3: mm_request_receive entering debug3: monitor_read: checking request 11 debug3: PAM: sshpam_passwd_conv called with 1 messages debug1: PAM: password authentication accepted for abrown debug3: mm_answer_authpassword: sending result 1 debug3: mm_request_send entering: type 12 debug3: mm_request_receive_expect entering: type 51 debug3: mm_request_receive entering debug3: mm_auth_password: user authenticated debug3: mm_do_pam_account entering debug3: mm_request_send entering: type 51 debug3: mm_request_receive_expect entering: type 52 debug3: mm_request_receive entering debug1: do_pam_account: called debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied) debug3: mm_request_send entering: type 52 Failed password for abrown from 10.41.0.145 port 42145 ssh2 debug3: mm_do_pam_account returning 0 Access denied for user abrown by PAM account configuration debug1: do_cleanup debug3: PAM: sshpam_thread_cleanup entering debug3: mm_request_send entering: type 80 debug3: mm_request_receive_expect entering: type 81 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: monitor_read: checking request 80 debug3: mm_request_send entering: type 81 debug3: mm_request_receive entering debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thanks Sumit and Jakub!
I looked up the link Jakub provided and found:
I'm receiving Access denied for user $user: 6 (Permission denied) Authentication went fine, but the user was denied access to the client machine. You can temporarily disable access control with setting access_provider=permit temporarily. Don't forget to reset the access provider to a stricter setting after finding out the root cause! If disabling access control doesn't help, the account might be locked on the server side. Check the SSSD domain logs to find out more.
So, as mentioned, I'll give "access_provider=permit" and give that a try!
*I'm sure I'll be following up with logs files.
Thanks for the prompt reply!!!!
Sterling
------ Original Message ------ From: "Sumit Bose" sbose@redhat.com To: "Sterling Sahaydak" sterling.sahaydak@pi-coral.com; "End-user discussions about the System Security Services Daemon" sssd-users@lists.fedorahosted.org Sent: 4/28/2015 12:03:29 PM Subject: Re: [SSSD-users] SSH - sssd: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
On Tue, Apr 28, 2015 at 03:11:09PM +0000, Sterling Sahaydak wrote:
I'm setup in Centos 6.6 with sssd 1.11.6 using openldap and openldap proxy to Active Directory.
I have working getent passwd <username> and getent group <group name>, id <username> etc. not a problem.
So, trying to get ssh to work as well.
*** I keep running in the issue:
"PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)"
and unclear of how to resolve this!
I've listed below:
*sssd.conf *password-auth-ac *sshd *sshd log
Any help/suggestions is GREATLY appreciated!!!
Sterling
sssd.conf:
[root@ldap sssd]# cat sssd.conf [domain/default]
ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://ldap.va.example.com ldap_tls_cacertdir = /etc/pki/tls/certs
[sssd] config_file_version = 2 services = nss, pam, sudo domains = LDAP
[nss] filter_users = root filter_groups = root
[pam]
[sudo]
[domain/LDAP] access_provider = ldap auth_provider = ldap chpass_provider = ldap id_provider = ldap sudo_provider = ldap debug_level = 9 cache_credentials = true enumerate = false
ldap_uri = ldaps://ad-va.ad.example.com ldap_default_bind_dn = cn=accessacct,ou=serviceaccounts,ou=example,dc=ad,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = <password here!>
ldap_access_filter = ou=example,dc=ad,dc=example,dc=com
Please check the ldap_access_filter entry in the sssd-ldap man page. The value of the option it put into a LDAP search filter, what you have given is a LDAP DN. I would suggest to try with
access_provider = permit
first, which always allows access and then try to restrict access with a different access provider. Besides the LDAP access provider you might want to consider the simple access provider for a start as well.
That said, log files as Jakub already mentioned, are always useful to identify your issue even more closely.
HTH
bye, Sumit
ldap_search_base = dc=ad,dc=example,dc=com
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName ldap_user_fullname = displayName ldap_user_name = sAMAccountName ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_uid_number = uidNumber ldap_user_objectsid = objectSid
ldap_group_object_class = group ldap_group_objectsid = objectSid ldap_group_member = member
ldap_sudo_search_base = ou=sudoers,dc=ad,dc=example,dc=com
ldap_tls_cacert = /etc/pki/tls/certs/certificatename.crt
[root@ldap pam.d]# cat password-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so umask=0022 skel=/etc/skel/ session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_sss.so session required pam_unix.so
[root@ldap pam.d]# cat sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth session required pam_selinux.so close session required pam_loginuid.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth
Here is my log:
[root@ldap ~]# /usr/sbin/sshd -D -ddd debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 602 debug2: parse_server_config: config /etc/ssh/sshd_config len 602 debug3: /etc/ssh/sshd_config:21 setting Protocol 2 debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTHPRIV debug3: /etc/ssh/sshd_config:43 setting PermitRootLogin without-password debug3: /etc/ssh/sshd_config:65 setting PasswordAuthentication yes debug3: /etc/ssh/sshd_config:71 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config:74 setting KerberosAuthentication no debug3: /etc/ssh/sshd_config:81 setting GSSAPIAuthentication no debug3: /etc/ssh/sshd_config:98 setting UsePAM yes debug3: /etc/ssh/sshd_config:101 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAG debug3: /etc/ssh/sshd_config:102 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT debug3: /etc/ssh/sshd_config:103 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE debug3: /etc/ssh/sshd_config:104 setting AcceptEnv XMODIFIERS debug3: /etc/ssh/sshd_config:109 setting X11Forwarding no debug3: /etc/ssh/sshd_config:133 setting Subsystem sftp /usr/libexec/openssh/sftp-server debug3: /etc/ssh/sshd_config:140 setting UseDNS no debug1: sshd version OpenSSH_5.3p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-D' debug1: rexec_argv[2]='-ddd' debug3: oom_adjust_setup Set /proc/self/oom_score_adj from 0 to -1000 debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 22 on ::. Server listening on :: port 22. debug3: fd 5 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 602 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 10.41.0.145 port 42145 debug1: Client protocol version 2.0; client software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 3 setting O_NONBLOCK debug2: Network child is on pid 28180 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 74:74 debug1: permanently_set_uid: 74/74 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 840 bytes for a total of 861 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-gr debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-gr debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug3: mm_request_send entering: type 78 debug3: monitor_read: checking request 78 debug3: mm_request_send entering: type 79 debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 79 debug3: mm_request_receive entering debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug3: mm_request_send entering: type 78 debug3: monitor_read: checking request 78 debug3: mm_request_send entering: type 79 debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 79 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 1024 8192 debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug3: Wrote 152 bytes for a total of 1013 debug2: dh_gen_key: priv key bits set: 137/256 debug2: bits set: 484/1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 518/1024 debug3: mm_key_sign entering debug3: mm_request_send entering: type 5 debug3: monitor_read: checking request 5 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x7f74f925a0d0(271) debug3: mm_request_send entering: type 6 debug2: monitor_read: 5 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 6 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 720 bytes for a total of 1733 debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug3: Wrote 48 bytes for a total of 1781 debug1: userauth-request for user abrown service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 7 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 8 debug3: mm_request_receive entering debug3: monitor_read: checking request 7 debug3: mm_answer_pwnamallow debug2: parse_server_config: config reprocess config len 602 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 8 debug2: monitor_read: 7 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for abrown debug3: mm_start_pam entering debug3: mm_request_send entering: type 50 debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug3: mm_inform_authrole entering debug3: mm_request_send entering: type 4 debug2: input_userauth_request: try method none debug3: Wrote 64 bytes for a total of 1845 debug3: monitor_read: checking request 50 debug1: PAM: initializing for "abrown" debug1: PAM: setting PAM_RHOST to "10.41.0.145" debug1: PAM: setting PAM_TTY to "ssh" debug2: monitor_read: 50 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_authrole: role= debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug1: userauth-request for user abrown service ssh-connection method password debug1: attempt 1 failures 0 debug2: input_userauth_request: try method password debug3: mm_auth_password entering debug3: mm_request_send entering: type 11 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 12 debug3: mm_request_receive entering debug3: monitor_read: checking request 11 debug3: PAM: sshpam_passwd_conv called with 1 messages debug1: PAM: password authentication accepted for abrown debug3: mm_answer_authpassword: sending result 1 debug3: mm_request_send entering: type 12 debug3: mm_request_receive_expect entering: type 51 debug3: mm_request_receive entering debug3: mm_auth_password: user authenticated debug3: mm_do_pam_account entering debug3: mm_request_send entering: type 51 debug3: mm_request_receive_expect entering: type 52 debug3: mm_request_receive entering debug1: do_pam_account: called debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied) debug3: mm_request_send entering: type 52 Failed password for abrown from 10.41.0.145 port 42145 ssh2 debug3: mm_do_pam_account returning 0 Access denied for user abrown by PAM account configuration debug1: do_cleanup debug3: PAM: sshpam_thread_cleanup entering debug3: mm_request_send entering: type 80 debug3: mm_request_receive_expect entering: type 81 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: monitor_read: checking request 80 debug3: mm_request_send entering: type 81 debug3: mm_request_receive entering debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Something I've noticed is that I've set SELinux into 'permissive' mode:
[root@ldap ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted But looking into the logs after changing "access_provider = permit"
And notice SELinux support 'enabled'.
*** Does sssd look at SELinux 'enabled' and the 'Current mode' = permissive???
... debug3: mm_get_keystate: Waiting for second key debug3: mm_newkeys_from_blob: 0x7f98559f9400(122) debug2: mac_setup: found hmac-md5 debug3: mm_get_keystate: Getting compression state debug3: mm_get_keystate: Getting Network I/O buffers debug3: mm_request_receive_expect entering: type 80 debug3: mm_request_receive entering debug3: mm_request_send entering: type 81 debug3: mm_share_sync: Share sync debug3: mm_share_sync: Share sync end debug1: SELinux support enabled debug3: ssh_selinux_setup_variables: setting execution context debug1: PAM: establishing credentials debug3: PAM: opening session User child is on pid 32767 debug3: mm_request_receive entering debug1: PAM: establishing credentials debug1: permanently_set_uid: 2000/1500 debug2: set_newkeys: mode 0 debug2: set_newkeys: mode 1 debug1: Entering interactive session for SSH2. debug2: fd 9 setting O_NONBLOCK debug2: fd 10 setting O_NONBLOCK debug1: server_init_dispatch_20 ...
Now ssh appears to be working:
[root@ldap ~]# !1006 ssh abrown@ldap.va.example.com abrown@ldap.va.example.com's password: debug3: Copy environment: SELINUX_ROLE_REQUESTED= debug3: Copy environment: SELINUX_LEVEL_REQUESTED= debug3: Copy environment: SELINUX_USE_CURRENT_RANGE= Environment: LANG=en_US.UTF-8 USER=abrown LOGNAME=abrown HOME=/home/users/abrown PATH=/usr/local/bin:/bin:/usr/bin MAIL=/var/mail/abrown SHELL=/bin/bash SSH_CLIENT=10.41.0.145 42191 22 SSH_CONNECTION=10.41.0.145 42191 10.41.0.145 22 SSH_TTY=/dev/pts/2 TERM=xterm SELINUX_ROLE_REQUESTED= SELINUX_LEVEL_REQUESTED= SELINUX_USE_CURRENT_RANGE= debug3: channel 0: close_fds r -1 w -1 e -1 -bash-4.1$ whoami abrown
[root@ldap home]# cd users [root@ldap users]# ll total 24 drwxr-xr-x. 2 abrown allowedusers 4096 Apr 28 12:26 abrown
------ Original Message ------ From: "Sumit Bose" sbose@redhat.com To: "Sterling Sahaydak" sterling.sahaydak@pi-coral.com; "End-user discussions about the System Security Services Daemon" sssd-users@lists.fedorahosted.org Sent: 4/28/2015 12:03:29 PM Subject: Re: [SSSD-users] SSH - sssd: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
On Tue, Apr 28, 2015 at 03:11:09PM +0000, Sterling Sahaydak wrote:
I'm setup in Centos 6.6 with sssd 1.11.6 using openldap and openldap proxy to Active Directory.
I have working getent passwd <username> and getent group <group name>, id <username> etc. not a problem.
So, trying to get ssh to work as well.
*** I keep running in the issue:
"PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)"
and unclear of how to resolve this!
I've listed below:
*sssd.conf *password-auth-ac *sshd *sshd log
Any help/suggestions is GREATLY appreciated!!!
Sterling
sssd.conf:
[root@ldap sssd]# cat sssd.conf [domain/default]
ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://ldap.va.example.com ldap_tls_cacertdir = /etc/pki/tls/certs
[sssd] config_file_version = 2 services = nss, pam, sudo domains = LDAP
[nss] filter_users = root filter_groups = root
[pam]
[sudo]
[domain/LDAP] access_provider = ldap auth_provider = ldap chpass_provider = ldap id_provider = ldap sudo_provider = ldap debug_level = 9 cache_credentials = true enumerate = false
ldap_uri = ldaps://ad-va.ad.example.com ldap_default_bind_dn = cn=accessacct,ou=serviceaccounts,ou=example,dc=ad,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = <password here!>
ldap_access_filter = ou=example,dc=ad,dc=example,dc=com
Please check the ldap_access_filter entry in the sssd-ldap man page. The value of the option it put into a LDAP search filter, what you have given is a LDAP DN. I would suggest to try with
access_provider = permit
first, which always allows access and then try to restrict access with a different access provider. Besides the LDAP access provider you might want to consider the simple access provider for a start as well.
That said, log files as Jakub already mentioned, are always useful to identify your issue even more closely.
HTH
bye, Sumit
ldap_search_base = dc=ad,dc=example,dc=com
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName ldap_user_fullname = displayName ldap_user_name = sAMAccountName ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_uid_number = uidNumber ldap_user_objectsid = objectSid
ldap_group_object_class = group ldap_group_objectsid = objectSid ldap_group_member = member
ldap_sudo_search_base = ou=sudoers,dc=ad,dc=example,dc=com
ldap_tls_cacert = /etc/pki/tls/certs/certificatename.crt
[root@ldap pam.d]# cat password-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so umask=0022 skel=/etc/skel/ session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_sss.so session required pam_unix.so
[root@ldap pam.d]# cat sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth session required pam_selinux.so close session required pam_loginuid.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth
Here is my log:
[root@ldap ~]# /usr/sbin/sshd -D -ddd debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 602 debug2: parse_server_config: config /etc/ssh/sshd_config len 602 debug3: /etc/ssh/sshd_config:21 setting Protocol 2 debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTHPRIV debug3: /etc/ssh/sshd_config:43 setting PermitRootLogin without-password debug3: /etc/ssh/sshd_config:65 setting PasswordAuthentication yes debug3: /etc/ssh/sshd_config:71 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config:74 setting KerberosAuthentication no debug3: /etc/ssh/sshd_config:81 setting GSSAPIAuthentication no debug3: /etc/ssh/sshd_config:98 setting UsePAM yes debug3: /etc/ssh/sshd_config:101 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAG debug3: /etc/ssh/sshd_config:102 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT debug3: /etc/ssh/sshd_config:103 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE debug3: /etc/ssh/sshd_config:104 setting AcceptEnv XMODIFIERS debug3: /etc/ssh/sshd_config:109 setting X11Forwarding no debug3: /etc/ssh/sshd_config:133 setting Subsystem sftp /usr/libexec/openssh/sftp-server debug3: /etc/ssh/sshd_config:140 setting UseDNS no debug1: sshd version OpenSSH_5.3p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-D' debug1: rexec_argv[2]='-ddd' debug3: oom_adjust_setup Set /proc/self/oom_score_adj from 0 to -1000 debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 22 on ::. Server listening on :: port 22. debug3: fd 5 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 602 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 10.41.0.145 port 42145 debug1: Client protocol version 2.0; client software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 3 setting O_NONBLOCK debug2: Network child is on pid 28180 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 74:74 debug1: permanently_set_uid: 74/74 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 840 bytes for a total of 861 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-gr debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-gr debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug3: mm_request_send entering: type 78 debug3: monitor_read: checking request 78 debug3: mm_request_send entering: type 79 debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 79 debug3: mm_request_receive entering debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug3: mm_request_send entering: type 78 debug3: monitor_read: checking request 78 debug3: mm_request_send entering: type 79 debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 79 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 1024 8192 debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug3: Wrote 152 bytes for a total of 1013 debug2: dh_gen_key: priv key bits set: 137/256 debug2: bits set: 484/1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 518/1024 debug3: mm_key_sign entering debug3: mm_request_send entering: type 5 debug3: monitor_read: checking request 5 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x7f74f925a0d0(271) debug3: mm_request_send entering: type 6 debug2: monitor_read: 5 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 6 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 720 bytes for a total of 1733 debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug3: Wrote 48 bytes for a total of 1781 debug1: userauth-request for user abrown service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 7 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 8 debug3: mm_request_receive entering debug3: monitor_read: checking request 7 debug3: mm_answer_pwnamallow debug2: parse_server_config: config reprocess config len 602 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 8 debug2: monitor_read: 7 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for abrown debug3: mm_start_pam entering debug3: mm_request_send entering: type 50 debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug3: mm_inform_authrole entering debug3: mm_request_send entering: type 4 debug2: input_userauth_request: try method none debug3: Wrote 64 bytes for a total of 1845 debug3: monitor_read: checking request 50 debug1: PAM: initializing for "abrown" debug1: PAM: setting PAM_RHOST to "10.41.0.145" debug1: PAM: setting PAM_TTY to "ssh" debug2: monitor_read: 50 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_authrole: role= debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug1: userauth-request for user abrown service ssh-connection method password debug1: attempt 1 failures 0 debug2: input_userauth_request: try method password debug3: mm_auth_password entering debug3: mm_request_send entering: type 11 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 12 debug3: mm_request_receive entering debug3: monitor_read: checking request 11 debug3: PAM: sshpam_passwd_conv called with 1 messages debug1: PAM: password authentication accepted for abrown debug3: mm_answer_authpassword: sending result 1 debug3: mm_request_send entering: type 12 debug3: mm_request_receive_expect entering: type 51 debug3: mm_request_receive entering debug3: mm_auth_password: user authenticated debug3: mm_do_pam_account entering debug3: mm_request_send entering: type 51 debug3: mm_request_receive_expect entering: type 52 debug3: mm_request_receive entering debug1: do_pam_account: called debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied) debug3: mm_request_send entering: type 52 Failed password for abrown from 10.41.0.145 port 42145 ssh2 debug3: mm_do_pam_account returning 0 Access denied for user abrown by PAM account configuration debug1: do_cleanup debug3: PAM: sshpam_thread_cleanup entering debug3: mm_request_send entering: type 80 debug3: mm_request_receive_expect entering: type 81 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: monitor_read: checking request 80 debug3: mm_request_send entering: type 81 debug3: mm_request_receive entering debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Solved my issue!
The key wasn't from the messages running sssd using: /usr/sbin/sssd -D -ddd and reading what was sent to screen.
Instead it was looking within the sssd_LDAP.log file itself:
(Wed Apr 29 11:42:58 2015) [sssd[be[LDAP]]] [sdap_access_filter_send] (0x0400): No filter set. (Wed Apr 29 11:42:58 2015) [sssd[be[LDAP]]] [sdap_access_done] (0x0400): Access was denied.
The ldap_access_filter set to:
ldap_access_filter = ou=example,dc=ad,dc=example,dc=com
Appears this is not a filter.
To resolve, changed it to use:
ldap_access_filter = memberof=cn=groupname,ou=groups,dc=ad,dc=example,dc=com
The documentation is a little vague for ldap_access_filter as to what qualifies clearly as a filter.
malformed filter in the code didn't appear to get triggered?
Thanks again to Jakub and Sumit for taking the time to help!!!
------ Original Message ------ From: "Sumit Bose" sbose@redhat.com To: "Sterling Sahaydak" sterling.sahaydak@pi-coral.com; "End-user discussions about the System Security Services Daemon" sssd-users@lists.fedorahosted.org Sent: 4/28/2015 12:03:29 PM Subject: Re: [SSSD-users] SSH - sssd: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
On Tue, Apr 28, 2015 at 03:11:09PM +0000, Sterling Sahaydak wrote:
I'm setup in Centos 6.6 with sssd 1.11.6 using openldap and openldap proxy to Active Directory.
I have working getent passwd <username> and getent group <group name>, id <username> etc. not a problem.
So, trying to get ssh to work as well.
*** I keep running in the issue:
"PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)"
and unclear of how to resolve this!
I've listed below:
*sssd.conf *password-auth-ac *sshd *sshd log
Any help/suggestions is GREATLY appreciated!!!
Sterling
sssd.conf:
[root@ldap sssd]# cat sssd.conf [domain/default]
ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://ldap.va.example.com ldap_tls_cacertdir = /etc/pki/tls/certs
[sssd] config_file_version = 2 services = nss, pam, sudo domains = LDAP
[nss] filter_users = root filter_groups = root
[pam]
[sudo]
[domain/LDAP] access_provider = ldap auth_provider = ldap chpass_provider = ldap id_provider = ldap sudo_provider = ldap debug_level = 9 cache_credentials = true enumerate = false
ldap_uri = ldaps://ad-va.ad.example.com ldap_default_bind_dn = cn=accessacct,ou=serviceaccounts,ou=example,dc=ad,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = <password here!>
ldap_access_filter = ou=example,dc=ad,dc=example,dc=com
Please check the ldap_access_filter entry in the sssd-ldap man page. The value of the option it put into a LDAP search filter, what you have given is a LDAP DN. I would suggest to try with
access_provider = permit
first, which always allows access and then try to restrict access with a different access provider. Besides the LDAP access provider you might want to consider the simple access provider for a start as well.
That said, log files as Jakub already mentioned, are always useful to identify your issue even more closely.
HTH
bye, Sumit
ldap_search_base = dc=ad,dc=example,dc=com
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName ldap_user_fullname = displayName ldap_user_name = sAMAccountName ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_uid_number = uidNumber ldap_user_objectsid = objectSid
ldap_group_object_class = group ldap_group_objectsid = objectSid ldap_group_member = member
ldap_sudo_search_base = ou=sudoers,dc=ad,dc=example,dc=com
ldap_tls_cacert = /etc/pki/tls/certs/certificatename.crt
[root@ldap pam.d]# cat password-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so umask=0022 skel=/etc/skel/ session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_sss.so session required pam_unix.so
[root@ldap pam.d]# cat sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth session required pam_selinux.so close session required pam_loginuid.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth
Here is my log:
[root@ldap ~]# /usr/sbin/sshd -D -ddd debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 602 debug2: parse_server_config: config /etc/ssh/sshd_config len 602 debug3: /etc/ssh/sshd_config:21 setting Protocol 2 debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTHPRIV debug3: /etc/ssh/sshd_config:43 setting PermitRootLogin without-password debug3: /etc/ssh/sshd_config:65 setting PasswordAuthentication yes debug3: /etc/ssh/sshd_config:71 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config:74 setting KerberosAuthentication no debug3: /etc/ssh/sshd_config:81 setting GSSAPIAuthentication no debug3: /etc/ssh/sshd_config:98 setting UsePAM yes debug3: /etc/ssh/sshd_config:101 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAG debug3: /etc/ssh/sshd_config:102 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT debug3: /etc/ssh/sshd_config:103 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE debug3: /etc/ssh/sshd_config:104 setting AcceptEnv XMODIFIERS debug3: /etc/ssh/sshd_config:109 setting X11Forwarding no debug3: /etc/ssh/sshd_config:133 setting Subsystem sftp /usr/libexec/openssh/sftp-server debug3: /etc/ssh/sshd_config:140 setting UseDNS no debug1: sshd version OpenSSH_5.3p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-D' debug1: rexec_argv[2]='-ddd' debug3: oom_adjust_setup Set /proc/self/oom_score_adj from 0 to -1000 debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 22 on ::. Server listening on :: port 22. debug3: fd 5 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 602 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 10.41.0.145 port 42145 debug1: Client protocol version 2.0; client software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 3 setting O_NONBLOCK debug2: Network child is on pid 28180 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 74:74 debug1: permanently_set_uid: 74/74 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 840 bytes for a total of 861 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-gr debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-gr debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug3: mm_request_send entering: type 78 debug3: monitor_read: checking request 78 debug3: mm_request_send entering: type 79 debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 79 debug3: mm_request_receive entering debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug3: mm_request_send entering: type 78 debug3: monitor_read: checking request 78 debug3: mm_request_send entering: type 79 debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 79 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 1024 8192 debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug3: Wrote 152 bytes for a total of 1013 debug2: dh_gen_key: priv key bits set: 137/256 debug2: bits set: 484/1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 518/1024 debug3: mm_key_sign entering debug3: mm_request_send entering: type 5 debug3: monitor_read: checking request 5 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x7f74f925a0d0(271) debug3: mm_request_send entering: type 6 debug2: monitor_read: 5 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 6 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 720 bytes for a total of 1733 debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug3: Wrote 48 bytes for a total of 1781 debug1: userauth-request for user abrown service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 7 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 8 debug3: mm_request_receive entering debug3: monitor_read: checking request 7 debug3: mm_answer_pwnamallow debug2: parse_server_config: config reprocess config len 602 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 8 debug2: monitor_read: 7 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for abrown debug3: mm_start_pam entering debug3: mm_request_send entering: type 50 debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug3: mm_inform_authrole entering debug3: mm_request_send entering: type 4 debug2: input_userauth_request: try method none debug3: Wrote 64 bytes for a total of 1845 debug3: monitor_read: checking request 50 debug1: PAM: initializing for "abrown" debug1: PAM: setting PAM_RHOST to "10.41.0.145" debug1: PAM: setting PAM_TTY to "ssh" debug2: monitor_read: 50 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_authrole: role= debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug1: userauth-request for user abrown service ssh-connection method password debug1: attempt 1 failures 0 debug2: input_userauth_request: try method password debug3: mm_auth_password entering debug3: mm_request_send entering: type 11 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 12 debug3: mm_request_receive entering debug3: monitor_read: checking request 11 debug3: PAM: sshpam_passwd_conv called with 1 messages debug1: PAM: password authentication accepted for abrown debug3: mm_answer_authpassword: sending result 1 debug3: mm_request_send entering: type 12 debug3: mm_request_receive_expect entering: type 51 debug3: mm_request_receive entering debug3: mm_auth_password: user authenticated debug3: mm_do_pam_account entering debug3: mm_request_send entering: type 51 debug3: mm_request_receive_expect entering: type 52 debug3: mm_request_receive entering debug1: do_pam_account: called debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied) debug3: mm_request_send entering: type 52 Failed password for abrown from 10.41.0.145 port 42145 ssh2 debug3: mm_do_pam_account returning 0 Access denied for user abrown by PAM account configuration debug1: do_cleanup debug3: PAM: sshpam_thread_cleanup entering debug3: mm_request_send entering: type 80 debug3: mm_request_receive_expect entering: type 81 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: monitor_read: checking request 80 debug3: mm_request_send entering: type 81 debug3: mm_request_receive entering debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Wed, Apr 29, 2015 at 04:23:01PM +0000, Sterling Sahaydak wrote:
Solved my issue!
The key wasn't from the messages running sssd using: /usr/sbin/sssd -D -ddd and reading what was sent to screen.
Instead it was looking within the sssd_LDAP.log file itself:
(Wed Apr 29 11:42:58 2015) [sssd[be[LDAP]]] [sdap_access_filter_send] (0x0400): No filter set. (Wed Apr 29 11:42:58 2015) [sssd[be[LDAP]]] [sdap_access_done] (0x0400): Access was denied.
The ldap_access_filter set to:
ldap_access_filter = ou=example,dc=ad,dc=example,dc=com
Appears this is not a filter.
To resolve, changed it to use:
ldap_access_filter = memberof=cn=groupname,ou=groups,dc=ad,dc=example,dc=com
The documentation is a little vague for ldap_access_filter as to what qualifies clearly as a filter.
malformed filter in the code didn't appear to get triggered?
Thanks again to Jakub and Sumit for taking the time to help!!!
I'm glad it works fine for you now, but please note the simple access provider is a much better choice for restricting access by groups because the memberof attribute in AD only points to direct parents, not all parents.
Thanks Jakub.
Hmmm, not sure I understand, can you elaborate with an example using dc=ad,dc=example,dc=com?
Thanks,
Sterling
------ Original Message ------ From: "Jakub Hrozek" jhrozek@redhat.com To: "Sterling Sahaydak" sterling.sahaydak@pi-coral.com Cc: "Sumit Bose" sbose@redhat.com; "End-user discussions about the System Security Services Daemon" sssd-users@lists.fedorahosted.org Sent: 4/29/2015 12:29:11 PM Subject: Re: [SSSD-users] SSH - sssd: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
On Wed, Apr 29, 2015 at 04:23:01PM +0000, Sterling Sahaydak wrote:
Solved my issue!
The key wasn't from the messages running sssd using: /usr/sbin/sssd -D -ddd and reading what was sent to screen.
Instead it was looking within the sssd_LDAP.log file itself:
(Wed Apr 29 11:42:58 2015) [sssd[be[LDAP]]] [sdap_access_filter_send] (0x0400): No filter set. (Wed Apr 29 11:42:58 2015) [sssd[be[LDAP]]] [sdap_access_done] (0x0400): Access was denied.
The ldap_access_filter set to:
ldap_access_filter = ou=example,dc=ad,dc=example,dc=com
Appears this is not a filter.
To resolve, changed it to use:
ldap_access_filter = memberof=cn=groupname,ou=groups,dc=ad,dc=example,dc=com
The documentation is a little vague for ldap_access_filter as to what qualifies clearly as a filter.
malformed filter in the code didn't appear to get triggered?
Thanks again to Jakub and Sumit for taking the time to help!!!
I'm glad it works fine for you now, but please note the simple access provider is a much better choice for restricting access by groups because the memberof attribute in AD only points to direct parents, not all parents.
On Wed, Apr 29, 2015 at 04:35:29PM +0000, Sterling Sahaydak wrote:
Thanks Jakub.
Hmmm, not sure I understand, can you elaborate with an example using dc=ad,dc=example,dc=com?
Well, your example used: ldap_access_filter = memberof=cn=groupname,ou=groups,dc=ad,dc=example,dc=com
Which reads to me as 'only allow users who are members of groupname'.
The same could be specified as: access_provider = simple simple_allow_groups = groupname
The difference is if there was another intermediate group between the user and groupname: user -> foogr -> groupname
Then AFAIU user would only have memberof:cn=foogr in his LDAP attribute in AD, so the access filter wouldn't match. In contrast, the simple access provider is called after all the group memberships are evaluated, so it would work even with group nesting.
I want to be sure I understand this as well...
So, when you have ldap_group_search_base defined, using simple will look for any group name that is defined where the groupname would be (essentially) cn=groupname within the entire ldap_group_search_base definition? For example, if you had the following:
ldap_group_search_base = ou=Groups,ou= Test,dc=example,dc=com?subtree?ou=Groups,ou=Default,dc=example,dc=com?subtree?
the group cn was
cn=groupname,ou=Groups,ou=Default,dc=example,dc=com
then using:
access_provider = simple simple_allow_groups = groupname
would trigger the allow without needing to know the fully defined attribute? I think the answer is "yes". If so, definitely seems "simpler".
=G= ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org sssd-users-bounces@lists.fedorahosted.org on behalf of Jakub Hrozek jhrozek@redhat.com Sent: Wednesday, April 29, 2015 1:37 PM To: Sterling Sahaydak Cc: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] SSH - sssd: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
On Wed, Apr 29, 2015 at 04:35:29PM +0000, Sterling Sahaydak wrote:
Thanks Jakub.
Hmmm, not sure I understand, can you elaborate with an example using dc=ad,dc=example,dc=com?
Well, your example used: ldap_access_filter = memberof=cn=groupname,ou=groups,dc=ad,dc=example,dc=com
Which reads to me as 'only allow users who are members of groupname'.
The same could be specified as: access_provider = simple simple_allow_groups = groupname
The difference is if there was another intermediate group between the user and groupname: user -> foogr -> groupname
Then AFAIU user would only have memberof:cn=foogr in his LDAP attribute in AD, so the access filter wouldn't match. In contrast, the simple access provider is called after all the group memberships are evaluated, so it would work even with group nesting. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Wed, Apr 29, 2015 at 06:33:01PM +0000, Galen Johnson wrote:
I want to be sure I understand this as well...
So, when you have ldap_group_search_base defined, using simple will look for any group name that is defined where the groupname would be (essentially) cn=groupname within the entire ldap_group_search_base definition? For example, if you had the following:
ldap_group_search_base = ou=Groups,ou= Test,dc=example,dc=com?subtree?ou=Groups,ou=Default,dc=example,dc=com?subtree?
the group cn was
cn=groupname,ou=Groups,ou=Default,dc=example,dc=com
then using:
access_provider = simple simple_allow_groups = groupname
would trigger the allow without needing to know the fully defined attribute? I think the answer is "yes". If so, definitely seems "simpler".
The principal difference is that the filter-based options are applied on the /user entry on the server side/. With ldap_access_filter in effect, we run an LDAP search along the following lines: (&(objectclass=user)(name=$login_name)($ldap_access_filter))
If the user entry matches, we allow access. The upside is that this filter can be used for any custom filters. For instance, you could only allow uses who use bash and work for the IT department: ldap_access_filter = (&(loginShell=/bin/bash)(department=IT)) The downside is that many server implementations, notably AD, don't allow an easy way for parent groups to be referenced from the user entry.
The simple access provider on the other hand is applied on the entries in the SSSD cache. The upside is that SSSD resolves the complete[*] nested group hierarchy for you prior to running the check The downside is that only access based on groupname or username can be allowed. But then again, that's what most deployments do anyway.
Btw when talking about AD, I should bring up that since 1.12, SSSD supports using GPOs for access control. There might still be some rough edges here and there, so feel free to report bugs!
[*] there is a configurable nesting limit that defaults to 2 nesting levels with the LDAP provider. The AD provider uses tokenGroups by default which unrolls the memberships, so the nesting doesn't really apply for the AD provider.
sssd-users@lists.fedorahosted.org