Did you check your Pam config?

On Sat, Sep 14, 2024, 6:42 PM GrahamC <gcfedora@crowie.net> wrote:

Hi,

     I have existing systems that authenticate via LDAP using SSSD and
have recently added a Fedora 40 system, except that it denies login to
all of the LDAP users. It can see the users (user and groups owning
files are displayed correctly, and the "finger" command finds the
users), however for some reason it always fails to authenticate passwords.

The following is from /var/log/secure

Sep 15 11:26:27 ext5 sshd[265914]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.131.55 
user=graham
Sep 15 11:26:29 ext5 sshd[265914]: Failed password for graham from
192.168.131.55 port 60366 ssh2

The LDAP server is a Fedora 34 but there are many older systems (back to
Fedora 19) still authenticating via LDAP. I remember many years ago (I
think it was when I was converting from NIS) that I had to change the
password format, so maybe I have something old in my setup (passwords
appear to be stored as a 52 character encrypted string).

I am looking for some pointers as to where to look for testing and
troubleshooting this issue. Are there any tools to test sssd
authentication? Or any other information that may help me?

Thank you


/etc/nsswitch contains (on both the working Fedora 34 and the not
working Fedora 40 systems)

passwd:     sss files systemd
shadow:     files
group:      sss files systemd
hosts:      files myhostname dns
services:   sss files
netgroup:   sss files
automount:  sss files
aliases:    files
ethers:     files
gshadow:    files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files

/etc/sssd/sssd.conf contains (on both the working Fedora 34 and the not
working Fedora 40 systems) - domain name changed.

[sssd]
config_file_version = 2
domains = LDAP
services = nss, pam

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap.mydomain.net
ldap_chpass_uri = ldap://ldap.mydomain.net
ldap_search_base = dc=mydomain,dc=net
ldap_id_use_start_tls = True
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_reqcert = allow


--
This email has been checked for viruses by AVG antivirus software.
www.avg.com
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue