6:27 a.m.
Hi, having configured SSSD on RHEL 6.4 to connect to our OpenLDAP server successfully, I
can get a list of users and groups using the getent command but cannot ssh into the host
or login via the console.
The following error message is returned in /var/log/secure:
May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.21.1 user=jimbob
May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:account): Access denied for user
jimbob: 6 (Permission denied)
May 8 12:18:26 rh-test-mg01 sshd[6658]: error: PAM: User account has expired for jimbob
from 10.21.21.1
These are my ldap details:
# extended LDIF
#
# LDAPv3
# base <uid=jimbob,ou=people,dc=XXX,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# jimbob, People, XXX.com
dn: uid=jimbob,ou=People,dc=XXX,dc=com
givenName: Jim
sn: Bob
uid: jimbob
uidNumber: 1081
homeDirectory: /home/jimbob
loginShell: /bin/bash
cn: Jim Bob
gidNumber: 1398
mail: jim.bob(a)XXX.com
userPassword:: XXX
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: ldapPublicKey
objectClass: shadowAccount
If I comment out the following line in /etc/pam.d/password-auth then I can login via ssh
but still not the console.
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
Any help would be greatly appreciated.
Thanks in advance, David.
Truphone Limited, registered in England and Wales (registered company number: 04187081).
Registered office: 4 Royal Mint Court, London EC3N 4HJ. VAT No. GB 851 5278 19
This e-mail, and any attachment(s), may contain information which is confidential and/or
privileged, and is intended for the addressee only. If you are not the intended recipient,
you may not use, disclose, copy or distribute this information in any manner whatsoever.
If you have received this e-mail in error, please contact the sender immediately and
delete it.
7:28 a.m.
On Wed, May 08, 2013 at 11:27:18AM +0000, David Frost wrote:
Hi, having configured SSSD on RHEL 6.4 to connect to our OpenLDAP
server successfully, I can get a list of users and groups using the getent command but
cannot ssh into the host or login via the console.
The following error message is returned in /var/log/secure:
May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.21.1 user=jimbob
May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:account): Access denied for user
jimbob: 6 (Permission denied)
May 8 12:18:26 rh-test-mg01 sshd[6658]: error: PAM: User account has expired for jimbob
from 10.21.21.1
These are my ldap details:
# extended LDIF
#
# LDAPv3
# base <uid=jimbob,ou=people,dc=XXX,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# jimbob, People, XXX.com
dn: uid=jimbob,ou=People,dc=XXX,dc=com
givenName: Jim
sn: Bob
uid: jimbob
uidNumber: 1081
homeDirectory: /home/jimbob
loginShell: /bin/bash
cn: Jim Bob
gidNumber: 1398
mail: jim.bob(a)XXX.com
userPassword:: XXX
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: ldapPublicKey
objectClass: shadowAccount
Maybe some attributes of shadowAccount indicate that the account is
expired? They might not be visible for an anonymous bind.
If I comment out the following line in /etc/pam.d/password-auth then I can login via ssh
but still not the console.
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
Any help would be greatly appreciated.
If you mean by console the text terminal then it makes sense, because
the login program uses system-auth instead of password-auth in it's pam
configuration. Nevertheless I would recommend to modify the SSSD
configuration instead of the PAM configuration.
I assume that you have configured an access_provider in your sssd.conf,
see man sssd.conf for details. If you remove the access_provider entry
it should work for all services.
To find out about why SSSD thinks that the account is expired logs with
a high debug level are needed, but as said before I assume that the
shadow attributes might be the reason.
HTH
bye,
Sumit
P.S. Please consider to subscribe to sssd-devel so that you do not have
to wait until your email gets moderated.
Thanks in advance, David.
Truphone Limited, registered in England and Wales (registered company number: 04187081).
Registered office: 4 Royal Mint Court, London EC3N 4HJ. VAT No. GB 851 5278 19
This e-mail, and any attachment(s), may contain information which is confidential and/or
privileged, and is intended for the addressee only. If you are not the intended recipient,
you may not use, disclose, copy or distribute this information in any manner whatsoever.
If you have received this e-mail in error, please contact the sender immediately and
delete it.
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
7:41 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/08/2013 08:28 AM, Sumit Bose wrote:
On Wed, May 08, 2013 at 11:27:18AM +0000, David Frost wrote:
> Hi, having configured SSSD on RHEL 6.4 to connect to our OpenLDAP
> server successfully, I can get a list of users and groups using
> the getent command but cannot ssh into the host or login via the
> console.
>
> The following error message is returned in /var/log/secure:
>
> May 8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:auth):
> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.21.21.1 user=jimbob May 8 12:18:26 rh-test-mg01
> sshd[6660]: pam_sss(sshd:account): Access denied for user jimbob:
> 6 (Permission denied) May 8 12:18:26 rh-test-mg01 sshd[6658]:
> error: PAM: User account has expired for jimbob from 10.21.21.1
>
> These are my ldap details:
>
> # extended LDIF # # LDAPv3 # base
> <uid=jimbob,ou=people,dc=XXX,dc=com> with scope subtree # filter:
> (objectclass=*) # requesting: ALL #
>
> # jimbob, People, XXX.com dn: uid=jimbob,ou=People,dc=XXX,dc=com
> givenName: Jim sn: Bob uid: jimbob uidNumber: 1081 homeDirectory:
> /home/jimbob loginShell: /bin/bash cn: Jim Bob gidNumber: 1398
> mail: jim.bob(a)XXX.com userPassword:: XXX objectClass:
> inetOrgPerson objectClass: posixAccount objectClass: top
> objectClass: ldapPublicKey objectClass: shadowAccount
Maybe some attributes of shadowAccount indicate that the account
is expired? They might not be visible for an anonymous bind.
>
>
> If I comment out the following line in /etc/pam.d/password-auth
> then I can login via ssh but still not the console.
>
> #account [default=bad success=ok user_unknown=ignore]
> pam_sss.so
>
> Any help would be greatly appreciated.
If you mean by console the text terminal then it makes sense,
because the login program uses system-auth instead of password-auth
in it's pam configuration. Nevertheless I would recommend to modify
the SSSD configuration instead of the PAM configuration.
Please do not comment out that line. SSSD is *correctly* indicating
that the LDAP server tells you that the user account is disabled. You
need to figure out how to unlock the user instead.
I assume that you have configured an access_provider in your
sssd.conf, see man sssd.conf for details. If you remove the
access_provider entry it should work for all services.
Please show your /etc/sssd/sssd.conf to us (with passwords/URLs
sanitized as needed). We can guide you more carefully there.
To find out about why SSSD thinks that the account is expired logs
with a high debug level are needed, but as said before I assume
that the shadow attributes might be the reason.
You can increase the debug level by setting debug_level = N (where N
is 0-9) in the [domain/DOMAINNAME] section of sssd.conf and restarting
SSSD. This will output logs to /var/log/sssd/sssd_DOMAINNAME.log
Check those at level 7 or higher and report anything that looks
interesting.
HTH
bye, Sumit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlGKSAUACgkQeiVVYja6o6M/2wCgihz2KUMFvwfb00qYpLyIk9Ck
IOkAn2wS/36LEpGUBirqOIUmd9yVkrJH
=rbgH
-----END PGP SIGNATURE-----
4003
days inactive
4003
days old
sssd-devel@lists.fedorahosted.org
2 comments
3 participants
participants (3)
-
David Frost -
Stephen Gallagher -
Sumit Bose