On 9 May 2013 12:40, Jakub Hrozek <jhrozek@redhat.com> wrote:
On Thu, May 09, 2013 at 10:58:52AM +0000, David Frost wrote:
> Hi,
>
> Thanks for the help, I increased the debug level and found that it was my ldap_access_filter that wasn't allowing the user to login. It just happened that the error in the log was saying the account had expired, when really it hadn't.
>

Does the login work now?


I can now log in via ssh as a user in LDAP, but not the console still. I am assuming that this could be a PAM issue, not sure at the moment. I can log in as root on the console still, this is all I need.

 
> Initially I too thought it may have been missing attributes, but turned out not to be the case.
>

I think this is bad error reporting on the sshd side, according to the
/var/log/secure snippet, SSSD returned PAM_PERM_DENIED as expected.

Indeed, this could well be the case, but at least the extra debugging in the sssd logs gave me the correct information.
 

> Thanks again,
> Regards David.
>
> From: David Frost
> Sent: Wednesday, May 08, 2013 12:27 PM
> To: 'sssd-devel@lists.fedorahosted.org'
> Subject: SSSD with SSH and PAM Account Expired
>
> Hi, having configured SSSD on RHEL 6.4 to connect to our OpenLDAP server successfully, I can get a list of users and groups using the getent command but cannot ssh into the host or login via the console.
>
> The following error message is returned in /var/log/secure:
>
> May  8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.21.1 user=jimbob
> May  8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:account): Access denied for user jimbob: 6 (Permission denied)
> May  8 12:18:26 rh-test-mg01 sshd[6658]: error: PAM: User account has expired for jimbob from 10.21.21.1
>
> These are my ldap details:
>
> # extended LDIF
> #
> # LDAPv3
> # base <uid=jimbob,ou=people,dc=XXX,dc=com> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # jimbob, People, XXX.com
> dn: uid=jimbob,ou=People,dc=XXX,dc=com
> givenName: Jim
> sn: Bob
> uid: jimbob
> uidNumber: 1081
> homeDirectory: /home/jimbob
> loginShell: /bin/bash
> cn: Jim Bob
> gidNumber: 1398
> mail: jim.bob@XXX.com<mailto:jim.bob@XXX.com>
> userPassword:: XXX
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> objectClass: ldapPublicKey
> objectClass: shadowAccount
>
>
> If I comment out the following line in /etc/pam.d/password-auth then I can login via ssh but still not the console.
>
> #account     [default=bad success=ok user_unknown=ignore] pam_sss.so
>
> Any help would be greatly appreciated.
>
> Thanks in advance, David.
>
> Truphone Limited, registered in England and Wales (registered company number: 04187081). Registered office: 4 Royal Mint Court, London EC3N 4HJ. VAT No. GB 851 5278 19
>
> This e-mail, and any attachment(s), may contain information which is confidential and/or privileged, and is intended for the addressee only. If you are not the intended recipient, you may not use, disclose, copy or distribute this information in any manner whatsoever. If you have received this e-mail in error, please contact the sender immediately and delete it.

> _______________________________________________
> sssd-devel mailing list
> sssd-devel@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel


Thanks for your help, all i now have to sort is the sudo ldap stuff, again the access filters seem to be my main issue.

Regards,

David.