On Mon, Jul 28, 2014 at 07:01:16PM +0000, Sterling Sahaydak wrote:
Hi Jakub,
Greatly appreciate you taking the time and providing help!
Answer to your questions:
1) Can you also include debugging from the pam responder?
Hmmm, yes - I want to, but having issues enabling the logging to:
sssd_pam.log
I don't think we need that anymore, the reason is clear from
/var/log/secure..
Seems like I have everything going to: sssd_LDAP.log
Obviously, I'm a unix newbie. If you can provide how to enable that would
be greatly appreciated. Wasn't clear with syslog enabling?
2)I would suggest to not use enumerate=true unless some legacy application
needs that.
I've updated this to: enumerate=false
Thanks!
3) Why do you have two domains defined with the same server but access
control defined only in the first one.
Hmmm, not sure here what 'defined only in the first one'? I'm sure it's
a
configuration setup issue on my part in not understanding.
Judging by the name 'default', I guess it was set up by authconfig,
default is the name authconfig uses for all its domains.
4)The PAM config looks OK to me, although you might want to re-run
# authconfig --enablesssdauth --enablesssd --update
to make sure.
So... I entered "authconfig --enablesssdauth --enablesssd --update" on the
cmd line but didn't see anything.
Normally this means the utility did its job :)
5) Did you include 'sss' to /etc/nsswitch.conf?
#passwd: files sss
#shadow: files sss
#group: files sss
passwd: files sss
group: files sss
sudoers: files sss
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files
aliases: files nisplus
initgroups: files sss
shadow: files sss
What does /var/log/secure say when you attempt to authenticate?
Jul 28 14:54:10 ldap01 sshd[26892]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=54.215.207.210
user=test1234
Jul 28 14:54:10 ldap01 sshd[26892]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=54.215.207.210
user=test1234
Jul 28 14:54:10 ldap01 sshd[26892]: pam_sss(sshd:auth): received for user
test1234: 6 (Permission denied)
^^^
OK, here we see the user was authenticated by SSSD, but not allowed
access by the access_provider of sssd.
In your config file I see:
ldap_access_filter = cn=allowedusers,ou=Groups,dc=something,dc=net
That doesn't sound right to me, the ldap_access_filter is supposed to be
a filter applied when looking for the user.
If you want to restrict access to members of a group called
allowedusers, then I would suggest the simple access provider instead:
access_provider = simple
simple_allow_groups = allowedusers
See man sssd-simple for some examples and more info.