Hello, I am looking for clues on how to debug a problem with my configuration for using LDAP and Yubikey PIV authentication. I have successfully gotten my sssd config to recognize my ldap server, and can authenticate and log in to a user from there. I also am prompted to enter my smartcard. my p11_chiuld.log correctly logs the presence of my key, and the certs offered up for authentication.
However, If I configure my pam common-auth so that I only use pam_sss for auth, and comment out pam_unix, I get 3 failed logging attempts, but It never asks me for a pin.
I have debug_level set to 10 for all the different sections, but I in looking at the logs I can't see any particular error that stands out.
I feel like the last relevant sssd_pam.log entries are Fri Jan 13 08:33:48 2023) [pam] [cache_req_create_and_add_result] (0x0400): CR #5: Found 1 entries in domain closed.aerosoftinc.com (Fri Jan 13 08:33:48 2023) [pam] [cache_req_done] (0x0400): CR #5: Finished: Success (Fri Jan 13 08:33:48 2023) [pam] [pd_set_primary_name] (0x0400): User's primary name is mcgrory@closed.aerosoftinc.com (Fri Jan 13 08:33:48 2023) [pam] [pam_initgr_cache_set] (0x2000): [mcgrory] added to PAM initgroup cache (Fri Jan 13 08:33:48 2023) [pam] [pam_dp_send_req] (0x0100): Sending request with the following data: (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): domain: closed.aerosoftinc.com (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): user: mcgrory@closed.aerosoftinc.com (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): service: sudo (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): tty: /dev/pts/1 (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): ruser: mcgrory (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): rhost: not set (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): authtok type: 0 (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): priv: 0 (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): cli_pid: 109539 (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): logon name: mcgrory (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): flags: 513 (Fri Jan 13 08:33:48 2023) [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Fri Jan 13 08:33:48 2023) [pam] [sbus_dispatch] (0x4000): Dispatching. (Fri Jan 13 08:33:48 2023) [pam] [pam_dp_send_req_done] (0x0200): received: [7 (Authentication failure)][closed.aerosoftinc.com]
this is from sssd_closed.aerosoftinc.com.log
(Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): domain: closed.aerosoftinc.com (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): user: mcgrory@closed.aerosoftinc.com (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): service: sudo (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): ruser: mcgrory (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): rhost: (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): authtok type: 0 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): priv: 0 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): cli_pid: 109539 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): logon name: not set (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): flags: 0 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_attach_req] (0x0400): DP Request [PAM Authenticate #10]: New request. Flags [0000]. (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [sss_domain_get_state] (0x1000): Domain closed.aerosoftinc.com is Active (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #10]: Request handler finished [0]: Success (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #10]: Receiving request data. (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #10]: Request removed. (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_method_enabled] (0x0400): Target selinux is not configured (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.pamHandler: Success (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [sbus_dispatch] (0x4000): Dispatching.
I see no evidence in that log of failure, but I'm not sure what I'm looking for?
my sssd.conf file is as follows
[sssd] domains = closed.aerosoftinc.com debug_level = 10 [pam] pam_cert_auth = true pam_verbosity = 3 pam_cert_db_path = /etc/sssd/pki/aerosoft_ca.pem debug_level = 10
[domain/closed.aerosoftinc.com] debug_level = 10 id_provider = ldap selinux_provider = none auth_provider = ldap ldap_uri = ldaps://backup.closed.aerosoftinc.com cache_credentials = false ldap_search_base = dc=closed,dc=aerosoftinc,dc=com
[certmap/closed.aerosoftinc.com/main] matchrule = <ISSUER>^CN=AeroSoft CA 2,O=AeroSoft Inc,L=Blacksburg,ST=Virginia,C=US$ maprule = (gecos={subject_dn}) domains = closed.aerosoftinc.com
Am Fri, Jan 13, 2023 at 01:41:28PM -0000 schrieb Bill McGrory:
Hello, I am looking for clues on how to debug a problem with my configuration for using LDAP and Yubikey PIV authentication. I have successfully gotten my sssd config to recognize my ldap server, and can authenticate and log in to a user from there. I also am prompted to enter my smartcard. my p11_chiuld.log correctly logs the presence of my key, and the certs offered up for authentication.
However, If I configure my pam common-auth so that I only use pam_sss for auth, and comment out pam_unix, I get 3 failed logging attempts, but It never asks me for a pin.
Hi,
did you, by chance, keep the 'use_first_pass' in the 'auth pam_sss.so' line? This should be removed. If not, please share your PAM configuration as well.
bye, Sumit
I have debug_level set to 10 for all the different sections, but I in looking at the logs I can't see any particular error that stands out.
I feel like the last relevant sssd_pam.log entries are Fri Jan 13 08:33:48 2023) [pam] [cache_req_create_and_add_result] (0x0400): CR #5: Found 1 entries in domain closed.aerosoftinc.com (Fri Jan 13 08:33:48 2023) [pam] [cache_req_done] (0x0400): CR #5: Finished: Success (Fri Jan 13 08:33:48 2023) [pam] [pd_set_primary_name] (0x0400): User's primary name is mcgrory@closed.aerosoftinc.com (Fri Jan 13 08:33:48 2023) [pam] [pam_initgr_cache_set] (0x2000): [mcgrory] added to PAM initgroup cache (Fri Jan 13 08:33:48 2023) [pam] [pam_dp_send_req] (0x0100): Sending request with the following data: (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): domain: closed.aerosoftinc.com (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): user: mcgrory@closed.aerosoftinc.com (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): service: sudo (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): tty: /dev/pts/1 (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): ruser: mcgrory (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): rhost: not set (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): authtok type: 0 (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): priv: 0 (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): cli_pid: 109539 (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): logon name: mcgrory (Fri Jan 13 08:33:48 2023) [pam] [pam_print_data] (0x0100): flags: 513 (Fri Jan 13 08:33:48 2023) [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Fri Jan 13 08:33:48 2023) [pam] [sbus_dispatch] (0x4000): Dispatching. (Fri Jan 13 08:33:48 2023) [pam] [pam_dp_send_req_done] (0x0200): received: [7 (Authentication failure)][closed.aerosoftinc.com]
this is from sssd_closed.aerosoftinc.com.log
(Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): domain: closed.aerosoftinc.com (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): user: mcgrory@closed.aerosoftinc.com (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): service: sudo (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): ruser: mcgrory (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): rhost: (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): authtok type: 0 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): priv: 0 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): cli_pid: 109539 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): logon name: not set (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [pam_print_data] (0x0100): flags: 0 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_attach_req] (0x0400): DP Request [PAM Authenticate #10]: New request. Flags [0000]. (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [sss_domain_get_state] (0x1000): Domain closed.aerosoftinc.com is Active (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #10]: Request handler finished [0]: Success (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #10]: Receiving request data. (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #10]: Request removed. (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [dp_method_enabled] (0x0400): Target selinux is not configured (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.pamHandler: Success (Fri Jan 13 08:33:48 2023) [be[closed.aerosoftinc.com]] [sbus_dispatch] (0x4000): Dispatching.
I see no evidence in that log of failure, but I'm not sure what I'm looking for?
my sssd.conf file is as follows
[sssd] domains = closed.aerosoftinc.com debug_level = 10 [pam] pam_cert_auth = true pam_verbosity = 3 pam_cert_db_path = /etc/sssd/pki/aerosoft_ca.pem debug_level = 10
[domain/closed.aerosoftinc.com] debug_level = 10 id_provider = ldap selinux_provider = none auth_provider = ldap ldap_uri = ldaps://backup.closed.aerosoftinc.com cache_credentials = false ldap_search_base = dc=closed,dc=aerosoftinc,dc=com
[certmap/closed.aerosoftinc.com/main] matchrule = <ISSUER>^CN=AeroSoft CA 2,O=AeroSoft Inc,L=Blacksburg,ST=Virginia,C=US$ maprule = (gecos={subject_dn}) domains = closed.aerosoftinc.com
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Am Fri, Jan 13, 2023 at 01:41:28PM -0000 schrieb Bill McGrory:
Hi,
did you, by chance, keep the 'use_first_pass' in the 'auth pam_sss.so' line? This should be removed. If not, please share your PAM configuration as well.
bye, Sumit
Thank you fo the quick reply. That was the problem. Successfully authenticated with the PIV V/R Bill
sssd-users@lists.fedorahosted.org