On Wed, May 08, 2013 at 11:27:18AM +0000, David Frost wrote:
Hi, having configured SSSD on RHEL 6.4 to connect to our OpenLDAP
server successfully, I can get a list of users and groups using the getent command but
cannot ssh into the host or login via the console.
The following error message is returned in /var/log/secure:
May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.21.1 user=jimbob
May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:account): Access denied for user
jimbob: 6 (Permission denied)
May 8 12:18:26 rh-test-mg01 sshd[6658]: error: PAM: User account has expired for jimbob
from 10.21.21.1
These are my ldap details:
# extended LDIF
#
# LDAPv3
# base <uid=jimbob,ou=people,dc=XXX,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# jimbob, People,
XXX.com
dn: uid=jimbob,ou=People,dc=XXX,dc=com
givenName: Jim
sn: Bob
uid: jimbob
uidNumber: 1081
homeDirectory: /home/jimbob
loginShell: /bin/bash
cn: Jim Bob
gidNumber: 1398
mail: jim.bob(a)XXX.com
userPassword:: XXX
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: ldapPublicKey
objectClass: shadowAccount
Maybe some attributes of shadowAccount indicate that the account is
expired? They might not be visible for an anonymous bind.
If I comment out the following line in /etc/pam.d/password-auth then I can login via ssh
but still not the console.
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
Any help would be greatly appreciated.
If you mean by console the text terminal then it makes sense, because
the login program uses system-auth instead of password-auth in it's pam
configuration. Nevertheless I would recommend to modify the SSSD
configuration instead of the PAM configuration.
I assume that you have configured an access_provider in your sssd.conf,
see man sssd.conf for details. If you remove the access_provider entry
it should work for all services.
To find out about why SSSD thinks that the account is expired logs with
a high debug level are needed, but as said before I assume that the
shadow attributes might be the reason.
HTH
bye,
Sumit
P.S. Please consider to subscribe to sssd-devel so that you do not have
to wait until your email gets moderated.
Thanks in advance, David.
Truphone Limited, registered in England and Wales (registered company number: 04187081).
Registered office: 4 Royal Mint Court, London EC3N 4HJ. VAT No. GB 851 5278 19
This e-mail, and any attachment(s), may contain information which is confidential and/or
privileged, and is intended for the addressee only. If you are not the intended recipient,
you may not use, disclose, copy or distribute this information in any manner whatsoever.
If you have received this e-mail in error, please contact the sender immediately and
delete it.
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel