On 9 May 2013 12:40, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
On Thu, May 09, 2013 at 10:58:52AM +0000, David Frost wrote:
> Thanks for the help, I increased the debug level and found that it was
my ldap_access_filter that wasn't allowing the user to login. It just
happened that the error in the log was saying the account had expired, when
really it hadn't.
Does the login work now?
I can now log in via ssh as a user in LDAP, but not the console still. I am
assuming that this could be a PAM issue, not sure at the moment. I can log
in as root on the console still, this is all I need.
> Initially I too thought it may have been missing attributes, but
out not to be the case.
I think this is bad error reporting on the sshd side, according to the
/var/log/secure snippet, SSSD returned PAM_PERM_DENIED as expected.
Indeed, this could well be the case, but at least the extra debugging in
the sssd logs gave me the correct information.
> Thanks again,
> Regards David.
> From: David Frost
> Sent: Wednesday, May 08, 2013 12:27 PM
> To: 'sssd-devel(a)lists.fedorahosted.org'
> Subject: SSSD with SSH and PAM Account Expired
> Hi, having configured SSSD on RHEL 6.4 to connect to our OpenLDAP server
successfully, I can get a list of users and groups using the getent command
but cannot ssh into the host or login via the console.
> The following error message is returned in /var/log/secure:
> May 8 12:18:26 rh-test-mg01 sshd: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> May 8 12:18:26 rh-test-mg01 sshd: pam_sss(sshd:account): Access
denied for user jimbob: 6 (Permission denied)
> May 8 12:18:26 rh-test-mg01 sshd: error: PAM: User account has
expired for jimbob from 10.21.21.1
> These are my ldap details:
> # extended LDIF
> # LDAPv3
> # base <uid=jimbob,ou=people,dc=XXX,dc=com> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> # jimbob, People, XXX.com
> dn: uid=jimbob,ou=People,dc=XXX,dc=com
> givenName: Jim
> sn: Bob
> uid: jimbob
> uidNumber: 1081
> homeDirectory: /home/jimbob
> loginShell: /bin/bash
> cn: Jim Bob
> gidNumber: 1398
> mail: jim.bob@XXX.com<mailto:jim.bob@XXX.com>
> userPassword:: XXX
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> objectClass: ldapPublicKey
> objectClass: shadowAccount
> If I comment out the following line in /etc/pam.d/password-auth then I
can login via ssh but still not the console.
> #account [default=bad success=ok user_unknown=ignore] pam_sss.so
> Any help would be greatly appreciated.
> Thanks in advance, David.
> Truphone Limited, registered in England and Wales (registered company
number: 04187081). Registered office: 4 Royal Mint Court, London EC3N 4HJ.
VAT No. GB 851 5278 19
> This e-mail, and any attachment(s), may contain information which is
confidential and/or privileged, and is intended for the addressee only. If
you are not the intended recipient, you may not use, disclose, copy or
distribute this information in any manner whatsoever. If you have received
this e-mail in error, please contact the sender immediately and delete it.
> sssd-devel mailing list
sssd-devel mailing list
Thanks for your help, all i now have to sort is the sudo ldap stuff, again
the access filters seem to be my main issue.