Off the top, the LDAP server can not resolve in DNS, so it's setting the LDAP server name to the IP, the IP is not in your cert as a SAN that I can see.

On 12/07/2022 12:10 AM Jarett DeAngelis <starkruzr@gmail.com> wrote:


Hi Sumit,

Thank you! You made me realize I never updated PAM using authconfig. `sudo authconfig --enablesssdauth --enablesssd --updateall --enablemkhomedir` took care of it.

Do you have any insights as to what is going on with the newer (Ubuntu 22.04) machine's attempts to authenticate? SSSD logs are pretty clear that there is an "unknown error" with TLS communication despite the OpenLDAP server appearing to communicate normally -- OpenSSL 3.0 freezes, basically, while trying to connect, as seen here:

(2022-12-07  7:17:24): [be[default]] [check_if_online_delayed] (0x2000): [RID#1010] Trying to go back online!
(2022-12-07  7:17:24): [be[default]] [fo_reset_services] (0x1000): [RID#1010] Resetting all servers in all services
(2022-12-07  7:17:24): [be[default]] [set_server_common_status] (0x0100): [RID#1010] Marking server '10.8.8.60' as 'name not resolved'
(2022-12-07  7:17:24): [be[default]] [fo_set_port_status] (0x0100): [RID#1010] Marking port 636 of server '10.8.8.60' as 'neutral'
(2022-12-07  7:17:24): [be[default]] [fo_set_port_status] (0x0400): [RID#1010] Marking port 636 of duplicate server '10.8.8.60' as 'neutral'
(2022-12-07  7:17:24): [be[default]] [dp_attach_req] (0x0400): [RID#1011] DP Request [Online Check #1011]: REQ_TRACE: New request. Flags [0000].
(2022-12-07  7:17:24): [be[default]] [dp_attach_req] (0x0400): [RID#1011] Number of active DP request: 1
(2022-12-07  7:17:24): [be[default]] [fo_resolve_service_send] (0x0100): [RID#1011] Trying to resolve service 'LDAP'
(2022-12-07  7:17:24): [be[default]] [get_server_status] (0x1000): [RID#1011] Status of server '10.8.8.60' is 'name not resolved'
(2022-12-07  7:17:24): [be[default]] [get_port_status] (0x1000): [RID#1011] Port status of port 636 for server '10.8.8.60' is 'neutral'
(2022-12-07  7:17:24): [be[default]] [fo_resolve_service_activate_timeout] (0x2000): [RID#1011] Resolve timeout [dns_resolver_timeout] set to 6 seconds
(2022-12-07  7:17:24): [be[default]] [get_server_status] (0x1000): [RID#1011] Status of server '10.8.8.60' is 'name not resolved'
(2022-12-07  7:17:24): [be[default]] [set_server_common_status] (0x0100): [RID#1011] Marking server '10.8.8.60' as 'resolving name'
(2022-12-07  7:17:24): [be[default]] [check_if_online_delayed] (0x2000): [RID#1010] Check online req created.
(2022-12-07  7:17:24): [be[default]] [set_server_common_status] (0x0100): [RID#1011] Marking server '10.8.8.60' as 'name resolved'
(2022-12-07  7:17:24): [be[default]] [be_resolve_server_process] (0x1000): [RID#1011] Saving the first resolved server
(2022-12-07  7:17:24): [be[default]] [be_resolve_server_process] (0x0200): [RID#1011] Found address for server 10.8.8.60: [10.8.8.60] TTL 7200
(2022-12-07  7:17:24): [be[default]] [sdap_uri_callback] (0x0400): [RID#1011] Constructed uri 'ldaps://10.8.8.60:636'
(2022-12-07  7:17:24): [be[default]] [sssd_async_socket_init_send] (0x4000): [RID#1011] Using file descriptor [21] for the connection.
(2022-12-07  7:17:24): [be[default]] [sssd_async_socket_init_send] (0x0400): [RID#1011] Setting 60 seconds timeout [ldap_network_timeout] for connecting
(2022-12-07  7:17:24): [be[default]] [sss_ldap_init_sys_connect_done] (0x0020): [RID#1011] ldap_install_tls failed: [Connect error] [unknown error]
(2022-12-07  7:17:24): [be[default]] [sss_ldap_init_state_destructor] (0x0400): [RID#1011] calling ldap_unbind_ext for ldap:[0x560819ad2470] sd:[21]
(2022-12-07  7:17:24): [be[default]] [sss_ldap_init_state_destructor] (0x0400): [RID#1011] closing socket [21]
(2022-12-07  7:17:24): [be[default]] [sdap_sys_connect_done] (0x0020): [RID#1011] sdap_async_connect_call request failed: [5]: Input/output error.
(2022-12-07  7:17:24): [be[default]] [sdap_handle_release] (0x2000): [RID#1011] Trace: sh[0x560819af04f0], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory[0]
(2022-12-07  7:17:24): [be[default]] [_be_fo_set_port_status] (0x8000): [RID#1011] Setting status: PORT_NOT_WORKING. Called from: ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_done: 1633
(2022-12-07  7:17:24): [be[default]] [fo_set_port_status] (0x0100): [RID#1011] Marking port 636 of server '10.8.8.60' as 'not working'

If you look at it with `openssl s_client`, it freezes right here:

root@ldapclient:/home/sysop# openssl s_client -connect 10.8.8.60:636
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 CN = CompanyInternal
verify return:1
depth=0 O = CompanyInternal, CN = ldapserver00.clab.lab
verify return:1
---
Certificate chain
 0 s:O = CompanyInternal, CN = ldapserver00.clab.lab
   i:CN = CompanyInternal
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
   v:NotBefore: Nov  1 22:06:32 2022 GMT; NotAfter: Oct 29 22:06:32 2032 GMT
 1 s:CN = CompanyInternal
   i:CN = CompanyInternal
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
   v:NotBefore: Nov  1 22:04:14 2022 GMT; NotAfter: Oct 29 22:04:14 2032 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIERzCCAi+gAwIBAgIUN7zSoFEoRKwSie9d3DoobHH60x4wDQYJKoZIhvcNAQEM
BQAwEjEQMA4GA1UEAxMHQmlvVGVhbTAeFw0yMjExMDEyMjA2MzJaFw0zMjEwMjky
MjA2MzJaMDIxEDAOBgNVBAoTB0Jpb1RlYW0xHjAcBgNVBAMTFWxkYXBzZXJ2ZXIw
MC5jbGFiLmxhYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKBtDPgT
e8wr/sxg+oUiMDvyuROnxEMDvF8LRwhQianBxqQuwuZulvVLXBgWyVRyNjInUDXU
q1Hbf2JVXVkMufO/VjRIlF4lRPC/sgu1srxUdRvddBEO9t8inAMlJ0dvGOaZBwS7
fKK3+YeIRSleRbXS6ta2shvwxrDTWhiEPL4dgdeD+7J9ll4cbbuHW0YZJvlRJ9xD
VHy70qcZn6ZyDXQt83Mbf78RLioK78S0dKW6eOACKHHSexIGcP8bZOX43XTZJHME
Y7jFSBaMVF+pa0eRj6pTA6U2sFg4puWC1Xkt++1Wpnq9YdB9CqOII3UvdlPVoOHH
oGQ6CmDmIR908kUCAwEAAaN1MHMwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggr
BgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0OBBYEFHKk9dZu3nxATWKqJlXK
0ekuoRfkMB8GA1UdIwQYMBaAFCTD8jhauoaHVQBgCHanPoW83kRxMA0GCSqGSIb3
DQEBDAUAA4ICAQCUA72TzDR5evZpTbZAoxZ4O3Xr+gKphB7HHQ4BNZ+zW/AV/rEW
DLTnm3XQ+KPp/1jb1uSsKGqLqQ462rzzYQ5SU98/GxZM8xRxWyTq+wjLFcaUZ93V
HVSm38Y77aK+uhw2qpiMeiKzW/M4UwUYQM4trKMSzBiQz46UPKkzihL5JR/TCcKj
LrT+OhYcbIDfdnf0+jvB75eiWiQXrsX1B0VRVnFR4FqJSH8kD71OLWno9UlTpmWB
xkDrWTW5xJAb+lJT12PRRg8cMRg/GtQSIo8PAPdrm/D6aBQsRtGm8KvIleBgo5FR
htlMVzNyfq35ck8WhjyMQBwegJEbMBDSpYootdNrs5sOtv+CA6qDH6CsatYKr/ke
bu3s167q0x/RAAROcdA6+7eMyrrVyZjv4tqPzfYdLvOg6o7m3kBy1BL56flbd+je
wX4RJvNoQKGrZxKRsfKgS7cJCo3QEoV/RbOzTof3QZ4G+lLE15lI9v9Ad6aaX+Gt
oLHAqxIE1Wld/fmBTBgLL9K5NFfvfINczNLJw/+X3f6e6IjQgT743oJZ4BaNyGn6
3YT5EgDAz5hgM4BhOMovUBVgcFsUdZkH3dHrX9OrdgmP737IXlp7tuo8/J0DMPgr
e2I0qGBqCu03PBYl8G4iwF/7UKFy6cyB1srefQPoVQ0//iPQIB5p6LOhUQ==
-----END CERTIFICATE-----
subject=O = CompanyInternal, CN = ldapserver00.clab.lab
issuer=CN = CompanyInternal
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2932 bytes and written 373 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 21BBA066E20DCEE0C99DA1EF0EA17A9F474DCB10993529D776A053A32EEDB728
    Session-ID-ctx:
    Resumption PSK: 6AC936C1645C80A5DDE93B179632FE59A4AEB15D3E3876B4385C01F769087C6D409E818BE582E550B3261CEED468423B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 60 81 05 60 76 ea 36 36-e4 97 99 63 43 38 8a 2b   `..`v.66...cC8.+
    0010 - 24 95 56 e5 af 76 a6 d2-60 82 fa d4 72 91 53 b5   $.V..v..`...r.S.
    0020 - 4e fc 0d 13 b8 52 97 2a-40 13 83 7d cf 3f 51 aa   N....R.*@..}.?Q.
    0030 - 96 f5 76 ca 14 c1 e7 e4-1d b7 39 53 d9 ee 19 89   ..v.......9S....
    0040 - fd eb e0 d9 9f 8d 33 3b-97 cd 1d 0d 8c a4 f4 f4   ......3;........
    0050 - 6f ab c2 49 59 b4 1c 67-78 b9 4c 93 03 2d 5c ff   o..IY..gx.L..-\.
    0060 - a9 19 c8 36 a8 23 1b 3c-45 5e 6e 69 f7 8c c4 bb   ...6.#.<E^ni....
    0070 - d9 d2 a9 86 92 f0 98 94-68 aa eb f2 18 ab ef 59   ........h......Y
    0080 - 55 96 43 ad 64 06 26 93-c1 41 8c 2b ce db bb fa   U.C.d.&..A.+....
    0090 - 9d 9f b3 71 fe cc ec d1-f5 e0 02 a8 70 b9 10 3c   ...q........p..<
    00a0 - 42 32 60 d4 ac 94 ce 76-89 3a 0e 6c 95 43 22 e4   B2`....v.:.l.C".
    00b0 - 89 a4 11 a9 24 a3 9a b4-3e 85 ee bb 1f 07 2f e0   ....$...>...../.
    00c0 - bf 45 a2 2e 78 a4 51 9f-34 0e e4 87 a8 b4 c3 2a   .E..x.Q.4......*

    Start Time: 1670399902
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: BBCD67A75D02D4E8A29FC1BC72AF66A58F589AABA8DCF321B809AEDC2F1100EE
    Session-ID-ctx:
    Resumption PSK: 2B9BBE1D73BEA62DBB0CDAFE6D25B09FB69F9D53DB02645AA889674CA7D28FF66C8D025F5ECE2015EE228AB9C1A178E9
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 60 81 05 60 76 ea 36 36-e4 97 99 63 43 38 8a 2b   `..`v.66...cC8.+
    0010 - 82 ee b5 24 8c 46 a1 ce-81 14 07 fa 50 57 67 78   ...$.F......PWgx
    0020 - da 6a b0 d8 df 43 d8 fd-74 67 13 61 37 36 e5 ab   .j...C..tg.a76..
    0030 - cd 3d 32 95 95 55 a0 47-f1 d8 4a 7c 27 aa 64 7d   .=2..U.G..J|'.d}
    0040 - 26 0d 60 8e 29 9c a9 40-6d 6f 59 c1 ab 6a e3 d4   &.`.)..@moY..j..
    0050 - cb cb 96 05 51 46 48 f8-6b 67 53 10 47 30 36 24   ....QFH.kgS.G06$
    0060 - f4 ea 62 f7 ac dc 64 b9-10 4e 62 17 75 3a 55 c9   ..b...d..Nb.u:U.
    0070 - 73 98 41 c6 68 6e ee b9-62 e5 19 71 a1 df 05 62   s.A.hn..b..q...b
    0080 - 7d 1a 30 dc 46 77 b3 c6-5b b6 fa 4f 2f 34 31 fa   }.0.Fw..[..O/41.
    0090 - bf 1e 9e 26 b8 ff 95 d3-69 7b de c3 91 34 06 6a   ...&....i{...4.j
    00a0 - 9e 2c ee 36 08 9f db 1f-28 44 ef 21 07 74 a8 9b   .,.6....(D.!.t..
    00b0 - bd 55 f6 8b cb 11 bb 5f-7f 71 ba eb 15 1e 1e 70   .U....._.q.....p
    00c0 - 36 3e 9d ce 42 2c 60 6d-d0 7f de 60 4a a9 80 da   6>..B,`m...`J...

    Start Time: 1670399902
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

^-- it stops there. I understand hanging and waiting for further communication is normal behavior , but I don't think this is where it's supposed to stop.

Obviously, CentOS 7 with its older version of SSL has no trouble connecting. One difference is that on CentOS 7 it says "Secure Renegotiation IS supported."

TIA for any help.

Thanks,
Jarett

On Dec 7, 2022, at 12:50 AM, Sumit Bose <sbose@redhat.com> wrote:

Am Tue, Dec 06, 2022 at 05:14:34PM -0600 schrieb Jarett DeAngelis:
Hi,

I am trying to get SSSD to authenticate against an OpenLDAP directory. I have "debug_level" turned up to 10 but have not been able to figure out what the problem is based on the log.

On an Ubuntu 22.04 system I have found that something with TLS is broken when it tries to connect to OpenLDAP, which is why it has failed on that system -- I think this is related to the OS moving to OpenSSL 3 but have not been able to figure out how to fix it.

On this CentOS 7 system, you can see that it can find the user, can get properties from the user, but still fails the user login without, as far as I can tell, explaining why.

I have pasted our sssd.conf below, and here is a link to my Nextcloud instance where I am hosting the relevant portion of the log (it was too big for me to be able to paste it into Pastebin): https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD<https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD>

Hi,

there is no authentication attempt covered in the log file. Are you sure
pam_sss.so is included in your PAM configuration and called for the
specific user?

bye,
Sumit


Hoping someone can help us get to the bottom of this.

Thanks.

Here is our sssd.conf:

[sssd]
services = nss, pam
config_file_version = 2
domains = default
certificate_verification = no_verification

[nss]

[pam]
offline_credentials_expiration = 60

[domain/default]
debug_level = 10
ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = ou=users,dc=clab,dc=lab
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldaps://10.8.8.60:636
ldap_default_bind_dn = cn=admin,dc=clab,dc=lab
ldap_default_authtok = definitelyverysecurepassword
ldap_tls_reqcert = allow
ldap_tls_cacert = /usr/local/share/ca-certificates/mycacert.crt
ldap_tls_cacertdir = /usr/local/share/ca-certificates
ldap_tls_cert = /etc/ldap/ldapserver00_slapd_cert.pem
certificate_verification = no_verification
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
override_homedir = /home/%U
override_shell = /bin/bash
ldap_user_name = uid
auto_private_groups = true
sudo_provider = none
ldap_account_expire_policy = nds
ldap_passwd_policy = shadow

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue