Hi!
As an LDAP newbie(but not a UNIX newbie) I try to setup a test environment.
I use OpenDJ from Forgerock, and sssd on Ubuntu 16.10. System info further down.
I think I got a working server setup, I got a test user "sven" that I can find with various methods like:
sudo ldapsearch -xv -h ldap -LLL -b "dc=hemma,dc=home" uid=sven ldap_initialize( ldap://ldap ) filter: uid=sven requesting: All userApplication attributes dn: uid=sven,ou=People,dc=hemma,dc=home objectClass: person objectClass: inetOrgPerson objectClass: posixAccount objectClass: organizationalPerson objectClass: top gidNumber: 1003 uid: sven sn: Persson cn: SvenP initials: SPE description: This is the description for Sven Persson, test user givenName: Sven homeDirectory: /mnt/nfs/home/sven uidNumber: 1003
or:
id sven uid=1003(sven) gid=1003(sven) groups=1003(sven)
or:
getent passwd sven sven:*:1003:1003:SvenP:/mnt/nfs/home/sven:
or:
getent group sven sven:*:1003:sven
BUT!
NOT with getent shadow.
and:
I can't login, not on the workstation, nor with ssh or su user. I got a strong feeling it is PAM...
Here are some lines from /var/log/auth.log when I tried su user:
Dec 6 11:29:34 GX620 su[2069]: pam_unix(su:auth): authentication failure; logname=bo uid=1000 euid=0 tty=/dev/pts/1 ruser=bo rhost= user=sven Dec 6 11:29:34 GX620 su[2069]: pam_sss(su:auth): authentication failure; logname=bo uid=1000 euid=0 tty=/dev/pts/1 ruser=bo rhost= user=sven Dec 6 11:29:34 GX620 su[2069]: pam_sss(su:auth): received for user sven: 6 (Permission denied) Dec 6 11:29:34 GX620 su[2069]: pam_ldap: ldap_simple_bind Can't contact LDAP server Dec 6 11:29:34 GX620 su[2069]: pam_ldap: reconnecting to LDAP server... Dec 6 11:29:34 GX620 su[2069]: pam_ldap: ldap_simple_bind Can't contact LDAP server Dec 6 11:29:36 GX620 su[2069]: pam_authenticate: Authentication failure Dec 6 11:29:36 GX620 su[2069]: FAILED su for sven by bo
System information:
System: Ubuntu 16.10 sssd version: 1.13.4 LDAP server OpenDJ 3.0
sssd.conf:
~$ sudo cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss,pam domain = HEMMA.HOME
[nss]
filter_users = root filter_groups = root
[pam]
[domain/HEMMA.HOME] autofs_provider = ldap ldap_schema = rfc2307bis ldap_search_base = dc=hemma,dc=home id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_tls_reqcert = never ldap_uri = ldap://ldap:389 ldap_id_use_start_tls = False cache_credentials = True enumerate = True
PAM:
~$ cat /etc/pam.d/common-session # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_sss.so session optional pam_ldap.so session optional pam_systemd.so session optional pam_cgfs.so -c freezer,memory,name=systemd # end of pam-auth-update config
When I google around, there are not much good information about sssd in ubuntu. I see a suggestion of using /etc/auth-client-config/profile.d/sss, it seems to be instead of nsswitch and pam. Someone know something about that? Haven't tried it yet, await some feedback from this list first.
Best regards from/Med vänliga hälsningar från
Johan Kragsterman
Capvert
On Tue, Dec 06, 2016 at 01:15:18PM +0100, Johan Kragsterman wrote:
Hi!
As an LDAP newbie(but not a UNIX newbie) I try to setup a test environment.
I use OpenDJ from Forgerock, and sssd on Ubuntu 16.10. System info further down.
I think I got a working server setup, I got a test user "sven" that I can find with various methods like:
sudo ldapsearch -xv -h ldap -LLL -b "dc=hemma,dc=home" uid=sven ldap_initialize( ldap://ldap ) filter: uid=sven requesting: All userApplication attributes dn: uid=sven,ou=People,dc=hemma,dc=home objectClass: person objectClass: inetOrgPerson objectClass: posixAccount objectClass: organizationalPerson objectClass: top gidNumber: 1003 uid: sven sn: Persson cn: SvenP initials: SPE description: This is the description for Sven Persson, test user givenName: Sven homeDirectory: /mnt/nfs/home/sven uidNumber: 1003
or:
id sven uid=1003(sven) gid=1003(sven) groups=1003(sven)
or:
getent passwd sven sven:*:1003:1003:SvenP:/mnt/nfs/home/sven:
or:
getent group sven sven:*:1003:sven
BUT!
NOT with getent shadow.
We don't implement the shadow map. Users log in by binding to the remote directory.
and:
I can't login, not on the workstation, nor with ssh or su user. I got a strong feeling it is PAM...
Here are some lines from /var/log/auth.log when I tried su user:
Dec 6 11:29:34 GX620 su[2069]: pam_unix(su:auth): authentication failure; logname=bo uid=1000 euid=0 tty=/dev/pts/1 ruser=bo rhost= user=sven Dec 6 11:29:34 GX620 su[2069]: pam_sss(su:auth): authentication failure; logname=bo uid=1000 euid=0 tty=/dev/pts/1 ruser=bo rhost= user=sven Dec 6 11:29:34 GX620 su[2069]: pam_sss(su:auth): received for user sven: 6 (Permission denied)
Please provide sssd logs: https://fedorahosted.org/sssd/wiki/Troubleshooting
Dec 6 11:29:34 GX620 su[2069]: pam_ldap: ldap_simple_bind Can't contact LDAP server Dec 6 11:29:34 GX620 su[2069]: pam_ldap: reconnecting to LDAP server... Dec 6 11:29:34 GX620 su[2069]: pam_ldap: ldap_simple_bind Can't contact LDAP server Dec 6 11:29:36 GX620 su[2069]: pam_authenticate: Authentication failure Dec 6 11:29:36 GX620 su[2069]: FAILED su for sven by bo
I would recommend against using pam_ldap and pam_sss together.
System information:
System: Ubuntu 16.10 sssd version: 1.13.4 LDAP server OpenDJ 3.0
sssd.conf:
~$ sudo cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss,pam domain = HEMMA.HOME
[nss]
filter_users = root filter_groups = root
[pam]
[domain/HEMMA.HOME] autofs_provider = ldap ldap_schema = rfc2307bis ldap_search_base = dc=hemma,dc=home id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_tls_reqcert = never ldap_uri = ldap://ldap:389 ldap_id_use_start_tls = False cache_credentials = True enumerate = True
Depending on your directory size, enumerate=true is not a good choice. Please revert the setting at least for debugging the issue (examining the logs with enumerate=true is much harder than without)
Hi!
-----Jakub Hrozek jhrozek@redhat.com skrev: ----- Till: sssd-users@lists.fedorahosted.org Från: Jakub Hrozek jhrozek@redhat.com Datum: 2016-12-06 12:23 Ärende: [SSSD-users] Re: ubuntu sssd initial setup pam(?) problem
On Tue, Dec 06, 2016 at 01:15:18PM +0100, Johan Kragsterman wrote:
Dec 6 11:29:34 GX620 su[2069]: pam_ldap: ldap_simple_bind Can't contact LDAP server Dec 6 11:29:34 GX620 su[2069]: pam_ldap: reconnecting to LDAP server... Dec 6 11:29:34 GX620 su[2069]: pam_ldap: ldap_simple_bind Can't contact LDAP server Dec 6 11:29:36 GX620 su[2069]: pam_authenticate: Authentication failure Dec 6 11:29:36 GX620 su[2069]: FAILED su for sven by bo
I would recommend against using pam_ldap and pam_sss together.
Honestly, I didn't even know that pam-ldap was installed/configured to be used! I already understood that it was not supposed to be used together with pam-sss. I have not installed it, so give me a hint where pam-ldap is configured, so I can reconfigure it, or is it just to uninstall it? I installed this: sssd libpam-sss libnss-sss libnss-ldap. Nothing else. And I can't see anything in the conf files that is relating to pam-ldap. Like in the nsswitch.conf, nothing refers to ldap, only sss.
[domain/HEMMA.HOME] autofs_provider = ldap ldap_schema = rfc2307bis ldap_search_base = dc=hemma,dc=home id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_tls_reqcert = never ldap_uri = ldap://ldap:389 ldap_id_use_start_tls = False cache_credentials = True enumerate = True
Depending on your directory size, enumerate=true is not a good choice. Please revert the setting at least for debugging the issue (examining the logs with enumerate=true is much harder than without) _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Tue, Dec 06, 2016 at 02:05:23PM +0100, Johan Kragsterman wrote:
Hi!
-----Jakub Hrozek jhrozek@redhat.com skrev: ----- Till: sssd-users@lists.fedorahosted.org Från: Jakub Hrozek jhrozek@redhat.com Datum: 2016-12-06 12:23 Ärende: [SSSD-users] Re: ubuntu sssd initial setup pam(?) problem
On Tue, Dec 06, 2016 at 01:15:18PM +0100, Johan Kragsterman wrote:
Dec 6 11:29:34 GX620 su[2069]: pam_ldap: ldap_simple_bind Can't contact LDAP server Dec 6 11:29:34 GX620 su[2069]: pam_ldap: reconnecting to LDAP server... Dec 6 11:29:34 GX620 su[2069]: pam_ldap: ldap_simple_bind Can't contact LDAP server Dec 6 11:29:36 GX620 su[2069]: pam_authenticate: Authentication failure Dec 6 11:29:36 GX620 su[2069]: FAILED su for sven by bo
I would recommend against using pam_ldap and pam_sss together.
Honestly, I didn't even know that pam-ldap was installed/configured to be used! I already understood that it was not supposed to be used together with pam-sss. I have not installed it, so give me a hint where pam-ldap is configured, so I can reconfigure it, or is it just to uninstall it? I installed this: sssd libpam-sss libnss-sss libnss-ldap. Nothing else.
libnss-ldap is nss_ldap's own LDAP module, you normally don't need it unless you configure 'ldap' somewhere in nsswitch.conf. I don't know how to setup PAM stack on Ubuntu or Debian, though, sorry. But if you don't use the PAM module at all, you can remove it.
And I can't see anything in the conf files that is relating to pam-ldap. Like in the nsswitch.conf, nothing refers to ldap, only sss.
[domain/HEMMA.HOME] autofs_provider = ldap ldap_schema = rfc2307bis ldap_search_base = dc=hemma,dc=home id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_tls_reqcert = never ldap_uri = ldap://ldap:389 ldap_id_use_start_tls = False cache_credentials = True enumerate = True
Depending on your directory size, enumerate=true is not a good choice. Please revert the setting at least for debugging the issue (examining the logs with enumerate=true is much harder than without)
btw the logs are still needed to see why your login fails.
sssd-users@lists.fedorahosted.org