New subject: sssd pam authentication works with su, but not ssh

25 Aug 2016


      I'm using sssd 1.11.7 in a jail on freebsd 10.2. and seeing an odd failure.
sssd is configured for nss, and pam both against an openldap server. Nss seems to work as evidenced by various getent calls.
When I ssh to the jail as an ldap user the authentication fails with return code 9:
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: default
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): user: myuser
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: not set
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: host.edu
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 65873
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [9][default]
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [9].
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 24
(Thu Aug 25 10:55:52 2016) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
When I login to the jail as an un-privleged user and su to the ldap user authentication succeeds:
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): user: myser
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: anotheruser
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 67944
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [myuser@default]
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: default
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): user: myuser
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: anotheruser
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 67944
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][default]
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0].
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 24
(Thu Aug 25 11:00:24 2016) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering pam_cmd_setcred
Even weirder is the fact that having once used su to authenticate the ldap user, subsequent attempts to ssh as the ldap user succeed!
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'myuser' matched without domain, user is myuser
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): user: myuser
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: not set
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: host.edu
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 78882
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [myuser@default]
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: default
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): user: myuser
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: not set
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: host.edu
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 78882
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][default]
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0].
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 24
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering pam_cmd_setcred
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'myuser' matched without domain, user is myuser
(Thu Aug 25 11:31:03 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
Suggestions for next steps are welcome.
Thanks