Hi, having configured SSSD on RHEL 6.4 to connect to our OpenLDAP server successfully, I can get a list of users and groups using the getent command but cannot ssh into the host or login via the console.
The following error message is returned in /var/log/secure:
May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.21.1 user=jimbob May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:account): Access denied for user jimbob: 6 (Permission denied) May 8 12:18:26 rh-test-mg01 sshd[6658]: error: PAM: User account has expired for jimbob from 10.21.21.1
These are my ldap details:
# extended LDIF # # LDAPv3 # base <uid=jimbob,ou=people,dc=XXX,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# jimbob, People, XXX.com dn: uid=jimbob,ou=People,dc=XXX,dc=com givenName: Jim sn: Bob uid: jimbob uidNumber: 1081 homeDirectory: /home/jimbob loginShell: /bin/bash cn: Jim Bob gidNumber: 1398 mail: jim.bob@XXX.com userPassword:: XXX objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: ldapPublicKey objectClass: shadowAccount
If I comment out the following line in /etc/pam.d/password-auth then I can login via ssh but still not the console.
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
Any help would be greatly appreciated.
Thanks in advance, David.
Truphone Limited, registered in England and Wales (registered company number: 04187081). Registered office: 4 Royal Mint Court, London EC3N 4HJ. VAT No. GB 851 5278 19
This e-mail, and any attachment(s), may contain information which is confidential and/or privileged, and is intended for the addressee only. If you are not the intended recipient, you may not use, disclose, copy or distribute this information in any manner whatsoever. If you have received this e-mail in error, please contact the sender immediately and delete it.
On Wed, May 08, 2013 at 11:27:18AM +0000, David Frost wrote:
Hi, having configured SSSD on RHEL 6.4 to connect to our OpenLDAP server successfully, I can get a list of users and groups using the getent command but cannot ssh into the host or login via the console.
The following error message is returned in /var/log/secure:
May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.21.1 user=jimbob May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:account): Access denied for user jimbob: 6 (Permission denied) May 8 12:18:26 rh-test-mg01 sshd[6658]: error: PAM: User account has expired for jimbob from 10.21.21.1
These are my ldap details:
# extended LDIF # # LDAPv3 # base <uid=jimbob,ou=people,dc=XXX,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# jimbob, People, XXX.com dn: uid=jimbob,ou=People,dc=XXX,dc=com givenName: Jim sn: Bob uid: jimbob uidNumber: 1081 homeDirectory: /home/jimbob loginShell: /bin/bash cn: Jim Bob gidNumber: 1398 mail: jim.bob@XXX.com userPassword:: XXX objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: ldapPublicKey objectClass: shadowAccount
Maybe some attributes of shadowAccount indicate that the account is expired? They might not be visible for an anonymous bind.
If I comment out the following line in /etc/pam.d/password-auth then I can login via ssh but still not the console.
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
Any help would be greatly appreciated.
If you mean by console the text terminal then it makes sense, because the login program uses system-auth instead of password-auth in it's pam configuration. Nevertheless I would recommend to modify the SSSD configuration instead of the PAM configuration.
I assume that you have configured an access_provider in your sssd.conf, see man sssd.conf for details. If you remove the access_provider entry it should work for all services.
To find out about why SSSD thinks that the account is expired logs with a high debug level are needed, but as said before I assume that the shadow attributes might be the reason.
HTH
bye, Sumit
P.S. Please consider to subscribe to sssd-devel so that you do not have to wait until your email gets moderated.
Thanks in advance, David.
Truphone Limited, registered in England and Wales (registered company number: 04187081). Registered office: 4 Royal Mint Court, London EC3N 4HJ. VAT No. GB 851 5278 19
This e-mail, and any attachment(s), may contain information which is confidential and/or privileged, and is intended for the addressee only. If you are not the intended recipient, you may not use, disclose, copy or distribute this information in any manner whatsoever. If you have received this e-mail in error, please contact the sender immediately and delete it.
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/08/2013 08:28 AM, Sumit Bose wrote:
On Wed, May 08, 2013 at 11:27:18AM +0000, David Frost wrote:
Hi, having configured SSSD on RHEL 6.4 to connect to our OpenLDAP server successfully, I can get a list of users and groups using the getent command but cannot ssh into the host or login via the console.
The following error message is returned in /var/log/secure:
May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.21.1 user=jimbob May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:account): Access denied for user jimbob: 6 (Permission denied) May 8 12:18:26 rh-test-mg01 sshd[6658]: error: PAM: User account has expired for jimbob from 10.21.21.1
These are my ldap details:
# extended LDIF # # LDAPv3 # base <uid=jimbob,ou=people,dc=XXX,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# jimbob, People, XXX.com dn: uid=jimbob,ou=People,dc=XXX,dc=com givenName: Jim sn: Bob uid: jimbob uidNumber: 1081 homeDirectory: /home/jimbob loginShell: /bin/bash cn: Jim Bob gidNumber: 1398 mail: jim.bob@XXX.com userPassword:: XXX objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: ldapPublicKey objectClass: shadowAccount
Maybe some attributes of shadowAccount indicate that the account is expired? They might not be visible for an anonymous bind.
If I comment out the following line in /etc/pam.d/password-auth then I can login via ssh but still not the console.
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
Any help would be greatly appreciated.
If you mean by console the text terminal then it makes sense, because the login program uses system-auth instead of password-auth in it's pam configuration. Nevertheless I would recommend to modify the SSSD configuration instead of the PAM configuration.
Please do not comment out that line. SSSD is *correctly* indicating that the LDAP server tells you that the user account is disabled. You need to figure out how to unlock the user instead.
I assume that you have configured an access_provider in your sssd.conf, see man sssd.conf for details. If you remove the access_provider entry it should work for all services.
Please show your /etc/sssd/sssd.conf to us (with passwords/URLs sanitized as needed). We can guide you more carefully there.
To find out about why SSSD thinks that the account is expired logs with a high debug level are needed, but as said before I assume that the shadow attributes might be the reason.
You can increase the debug level by setting debug_level = N (where N is 0-9) in the [domain/DOMAINNAME] section of sssd.conf and restarting SSSD. This will output logs to /var/log/sssd/sssd_DOMAINNAME.log
Check those at level 7 or higher and report anything that looks interesting.
HTH
bye, Sumit
sssd-devel@lists.fedorahosted.org