Hi,
Thanks for the help, I increased the debug level and found that it was my ldap_access_filter that wasn't allowing the user to login. It just happened that the error in the log was saying the account had expired, when really it hadn't.
Initially I too thought it may have been missing attributes, but turned out not to be the case.
Thanks again, Regards David.
From: David Frost Sent: Wednesday, May 08, 2013 12:27 PM To: 'sssd-devel@lists.fedorahosted.org' Subject: SSSD with SSH and PAM Account Expired
Hi, having configured SSSD on RHEL 6.4 to connect to our OpenLDAP server successfully, I can get a list of users and groups using the getent command but cannot ssh into the host or login via the console.
The following error message is returned in /var/log/secure:
May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.21.1 user=jimbob May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:account): Access denied for user jimbob: 6 (Permission denied) May 8 12:18:26 rh-test-mg01 sshd[6658]: error: PAM: User account has expired for jimbob from 10.21.21.1
These are my ldap details:
# extended LDIF # # LDAPv3 # base <uid=jimbob,ou=people,dc=XXX,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# jimbob, People, XXX.com dn: uid=jimbob,ou=People,dc=XXX,dc=com givenName: Jim sn: Bob uid: jimbob uidNumber: 1081 homeDirectory: /home/jimbob loginShell: /bin/bash cn: Jim Bob gidNumber: 1398 mail: jim.bob@XXX.commailto:jim.bob@XXX.com userPassword:: XXX objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: ldapPublicKey objectClass: shadowAccount
If I comment out the following line in /etc/pam.d/password-auth then I can login via ssh but still not the console.
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
Any help would be greatly appreciated.
Thanks in advance, David.
Truphone Limited, registered in England and Wales (registered company number: 04187081). Registered office: 4 Royal Mint Court, London EC3N 4HJ. VAT No. GB 851 5278 19
This e-mail, and any attachment(s), may contain information which is confidential and/or privileged, and is intended for the addressee only. If you are not the intended recipient, you may not use, disclose, copy or distribute this information in any manner whatsoever. If you have received this e-mail in error, please contact the sender immediately and delete it.
On Thu, May 09, 2013 at 10:58:52AM +0000, David Frost wrote:
Hi,
Thanks for the help, I increased the debug level and found that it was my ldap_access_filter that wasn't allowing the user to login. It just happened that the error in the log was saying the account had expired, when really it hadn't.
Does the login work now?
Initially I too thought it may have been missing attributes, but turned out not to be the case.
I think this is bad error reporting on the sshd side, according to the /var/log/secure snippet, SSSD returned PAM_PERM_DENIED as expected.
Thanks again, Regards David.
From: David Frost Sent: Wednesday, May 08, 2013 12:27 PM To: 'sssd-devel@lists.fedorahosted.org' Subject: SSSD with SSH and PAM Account Expired
Hi, having configured SSSD on RHEL 6.4 to connect to our OpenLDAP server successfully, I can get a list of users and groups using the getent command but cannot ssh into the host or login via the console.
The following error message is returned in /var/log/secure:
May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.21.1 user=jimbob May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:account): Access denied for user jimbob: 6 (Permission denied) May 8 12:18:26 rh-test-mg01 sshd[6658]: error: PAM: User account has expired for jimbob from 10.21.21.1
These are my ldap details:
# extended LDIF # # LDAPv3 # base <uid=jimbob,ou=people,dc=XXX,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# jimbob, People, XXX.com dn: uid=jimbob,ou=People,dc=XXX,dc=com givenName: Jim sn: Bob uid: jimbob uidNumber: 1081 homeDirectory: /home/jimbob loginShell: /bin/bash cn: Jim Bob gidNumber: 1398 mail: jim.bob@XXX.commailto:jim.bob@XXX.com userPassword:: XXX objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: ldapPublicKey objectClass: shadowAccount
If I comment out the following line in /etc/pam.d/password-auth then I can login via ssh but still not the console.
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
Any help would be greatly appreciated.
Thanks in advance, David.
Truphone Limited, registered in England and Wales (registered company number: 04187081). Registered office: 4 Royal Mint Court, London EC3N 4HJ. VAT No. GB 851 5278 19
This e-mail, and any attachment(s), may contain information which is confidential and/or privileged, and is intended for the addressee only. If you are not the intended recipient, you may not use, disclose, copy or distribute this information in any manner whatsoever. If you have received this e-mail in error, please contact the sender immediately and delete it.
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On 9 May 2013 12:40, Jakub Hrozek jhrozek@redhat.com wrote:
On Thu, May 09, 2013 at 10:58:52AM +0000, David Frost wrote:
Hi,
Thanks for the help, I increased the debug level and found that it was
my ldap_access_filter that wasn't allowing the user to login. It just happened that the error in the log was saying the account had expired, when really it hadn't.
Does the login work now?
I can now log in via ssh as a user in LDAP, but not the console still. I am assuming that this could be a PAM issue, not sure at the moment. I can log in as root on the console still, this is all I need.
Initially I too thought it may have been missing attributes, but turned
out not to be the case.
I think this is bad error reporting on the sshd side, according to the /var/log/secure snippet, SSSD returned PAM_PERM_DENIED as expected.
Indeed, this could well be the case, but at least the extra debugging in the sssd logs gave me the correct information.
Thanks again, Regards David.
From: David Frost Sent: Wednesday, May 08, 2013 12:27 PM To: 'sssd-devel@lists.fedorahosted.org' Subject: SSSD with SSH and PAM Account Expired
Hi, having configured SSSD on RHEL 6.4 to connect to our OpenLDAP server
successfully, I can get a list of users and groups using the getent command but cannot ssh into the host or login via the console.
The following error message is returned in /var/log/secure:
May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.21.1 user=jimbob
May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:account): Access
denied for user jimbob: 6 (Permission denied)
May 8 12:18:26 rh-test-mg01 sshd[6658]: error: PAM: User account has
expired for jimbob from 10.21.21.1
These are my ldap details:
# extended LDIF # # LDAPv3 # base <uid=jimbob,ou=people,dc=XXX,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# jimbob, People, XXX.com dn: uid=jimbob,ou=People,dc=XXX,dc=com givenName: Jim sn: Bob uid: jimbob uidNumber: 1081 homeDirectory: /home/jimbob loginShell: /bin/bash cn: Jim Bob gidNumber: 1398 mail: jim.bob@XXX.commailto:jim.bob@XXX.com userPassword:: XXX objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: ldapPublicKey objectClass: shadowAccount
If I comment out the following line in /etc/pam.d/password-auth then I
can login via ssh but still not the console.
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
Any help would be greatly appreciated.
Thanks in advance, David.
Truphone Limited, registered in England and Wales (registered company
number: 04187081). Registered office: 4 Royal Mint Court, London EC3N 4HJ. VAT No. GB 851 5278 19
This e-mail, and any attachment(s), may contain information which is
confidential and/or privileged, and is intended for the addressee only. If you are not the intended recipient, you may not use, disclose, copy or distribute this information in any manner whatsoever. If you have received this e-mail in error, please contact the sender immediately and delete it.
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Thanks for your help, all i now have to sort is the sudo ldap stuff, again the access filters seem to be my main issue.
Regards,
David.
sssd-devel@lists.fedorahosted.org