On Wed, Mar 16, 2016 at 10:52:22PM -0400, Cyril Scetbon wrote:
Any other idea ? Here is the information I can provide you :
# /etc/nsswitch.conf
passwd: compat sss ldap
group: compat sss ldap
shadow: compat ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
my pam file
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_sss.so
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
/etc/sssd/sssd.conf
[domain/default]
debug_level=0xFFF0
autofs_provider = ldap
ldap_default_bind_dn = uid=myuid,ou=Auth,dc=mydc1,dc=mydc2
ldap_default_authtok_type = password
ldap_default_authtok = mysecret
ldap_schema = rfc2307bis
krb5_realm = #
ldap_search_base = dc=mydc1,dc=mydc2
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://myldap
ldap_id_use_start_tls = True
cache_credentials = True
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_tls_reqcert=demand
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = default
[pam]
[nss]
[sudo]
[autofs]
[ssh]
[pac]
As said earlier, I tried with those 2 commands to simulate the lost of the ldap server :
iptables -A OUTPUT -p tcp --dport 636 -j REJECT
iptables -A OUTPUT -p tcp --dport 636 -j DROP
Is it possible to see full logs from all responders?
By the way I suspect the reason Lukas asked about TLS vs LDAPs is
https://fedorahosted.org/sssd/ticket/2878
(I know this doesn't help your problem, but I use cached credentials on
my laptop as the only authentication source, so I know they work OK..)