9:14 a.m.
Hi,
I am using SSSD and FreeBSD to authenticate against samba4.
I used this howto setting all up:
http://serverfault.com/questions/599200/how-to-integrate-active-directory...
But when I want to logon using password, i.e. via dovecot I get wrong password.
Neigher can I use sudo typing the correct samba4 password.
Also I get a prompt [I have no name!@HOSTNAME] and my files, which I chowned &
chgrped to the samba user and group only show IDs as owner.
I have already asked on the FreeBSD maillinglist, but they couldn't help me.
Any ideas how to solve this? Can this maybe be a permission problem with some
file for sssd / NSS which an unprivileged user cannot read?
I have set UNIX attributes on the user I want to logon with.
Best regards,
Ronny Forberger
10:03 a.m.
I found out, that /var/run/sss needed mode 0755.
But I still cannot use passwords.
My /etc/pam.d/system looks like the following:
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_sss.so
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
account required /usr/local/lib/pam_sss.so ignore_unknown_user
# session
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail
session optional /usr/local/lib/pam_sss.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_sss.so use_authtok
password required pam_unix.so no_warn try_first_pass
What am I doing wrong?
Best regards,
Ronny
2:46 a.m.
New subject: I have no name prompt and no passwords recognized
On Sun, Nov 13, 2016 at 04:03:06PM -0000, ronnyforberger(a)ronnyforberger.de wrote:
I found out, that /var/run/sss needed mode 0755.
But I still cannot use passwords.
My /etc/pam.d/system looks like the following:
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_sss.so
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
account required /usr/local/lib/pam_sss.so ignore_unknown_user
# session
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail
session optional /usr/local/lib/pam_sss.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_sss.so use_authtok
password required pam_unix.so no_warn try_first_pass
What am I doing wrong?
Please enable debugging (see
https://fedorahosted.org/sssd/wiki/Troubleshooting for details) and
check the logs files, especially sssd_pam.log, the domain log and
krb5_child.log.
HTH
bye,
Sumit
>
> Best regards,
> Ronny
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
3:04 a.m.
New subject: I have no name prompt and no passwords recognized
On (13/11/16 16:03), ronnyforberger(a)ronnyforberger.de wrote:
I found out, that /var/run/sss needed mode 0755.
But I still cannot use passwords.
My /etc/pam.d/system looks like the following:
What do you meand by cannot use password?
How do you authenticate ssh (or login on tty)
Are you able to resolve user with "getent passwd" or "id"?
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_sss.so
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
account required /usr/local/lib/pam_sss.so ignore_unknown_user
There should be also enabled ignore_authinfo_unavail
# session
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail
session optional /usr/local/lib/pam_sss.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_sss.so use_authtok
password required pam_unix.so no_warn try_first_pass
BTW here is a link to our troubleshooting wiki
https://fedorahosted.org/sssd/wiki/Troubleshooting
LS
4:34 a.m.
New subject: I have no name prompt and no passwords recognized
Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November 2016
um 10:04
geschrieben:
On (13/11/16 16:03), ronnyforberger(a)ronnyforberger.de wrote:
>I found out, that /var/run/sss needed mode 0755.
>
>But I still cannot use passwords.
>My /etc/pam.d/system looks like the following:
>
What do you meand by cannot use password?
How do you authenticate ssh (or login on tty)
Are you able to resolve user with "getent passwd" or "id"?
I
cannot login using password or use sudo using password. Neigher by ssh, login
on tty.
I can see the users through getent passwd and id.
The debug log of pam_sssd.so says:
Nov 13 17:31:59 macy sudo: in openpam_dispatch(): /usr/local/lib/pam_sss.so:
pam_sm_authenticate(): authentication error
Nov 13 17:32:01 macy su: in openpam_dispatch(): calling pam_sm_setcred() in
/usr/local/lib/pam_sss.so
Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE
Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER
Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY
Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER
Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST
Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK
Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_OLDAUTHTOK
Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
Nov 13 17:32:01 macy su: in pam_set_data(): entering: 'pam_sss:fd_destructor'
Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS
Nov 13 17:32:01 macy su: in openpam_dispatch(): /usr/local/lib/pam_sss.so:
pam_sm_setcred(): success
What can be the problem?
Best regards,
Ronny
># auth
>auth sufficient pam_opie.so no_warn no_fake_prompts
>auth requisite pam_opieaccess.so no_warn allow_local
>#auth sufficient pam_krb5.so no_warn try_first_pass
>#auth sufficient pam_ssh.so no_warn try_first_pass
>auth sufficient /usr/local/lib/pam_sss.so
>auth required pam_unix.so no_warn try_first_pass nullok
>
># account
>#account required pam_krb5.so
>account required pam_login_access.so
>account required pam_unix.so
>account required /usr/local/lib/pam_sss.so ignore_unknown_user
There should be also enabled ignore_authinfo_unavail
># session
>#session optional pam_ssh.so want_agent
>session required pam_lastlog.so no_fail
>session optional /usr/local/lib/pam_sss.so
>
># password
>#password sufficient pam_krb5.so no_warn try_first_pass
>password sufficient /usr/local/lib/pam_sss.so use_authtok
>password required pam_unix.so no_warn try_first_pass
>
BTW here is a link to our troubleshooting wiki
https://fedorahosted.org/sssd/wiki/Troubleshooting
LS
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
___________________________________
Ronny Forberger
ronnyforberger at ronnyforberger.de
PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
4:36 a.m.
New subject: I have no name prompt and no passwords recognized
On (14/11/16 11:34), Ronny Forberger wrote:
> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November
2016 um 10:04
> geschrieben:
>
>
> On (13/11/16 16:03), ronnyforberger(a)ronnyforberger.de wrote:
> >I found out, that /var/run/sss needed mode 0755.
> >
> >But I still cannot use passwords.
> >My /etc/pam.d/system looks like the following:
> >
> What do you meand by cannot use password?
> How do you authenticate ssh (or login on tty)
> Are you able to resolve user with "getent passwd" or "id"?
I cannot login using password or use sudo using password. Neigher by ssh, login
on tty.
I can see the users through getent passwd and id.
The debug log of pam_sssd.so says:
Nov 13 17:31:59 macy sudo: in openpam_dispatch(): /usr/local/lib/pam_sss.so:
pam_sm_authenticate(): authentication error
Nov 13 17:32:01 macy su: in openpam_dispatch(): calling pam_sm_setcred() in
/usr/local/lib/pam_sss.so
Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE
Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER
Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY
Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER
Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST
Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK
Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_OLDAUTHTOK
Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
Nov 13 17:32:01 macy su: in pam_set_data(): entering: 'pam_sss:fd_destructor'
Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS
Nov 13 17:32:01 macy su: in openpam_dispatch(): /usr/local/lib/pam_sss.so:
pam_sm_setcred(): success
Those messages are from syslog.
You need to find a problem in sssd logs.
https://fedorahosted.org/sssd/wiki/Troubleshooting
LS
10:09 a.m.
New subject: I have no name prompt and no passwords recognized
Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November 2016
um 11:36
geschrieben:
On (14/11/16 11:34), Ronny Forberger wrote:
>> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November 2016 um 10:04
>> geschrieben:
>>
>>
>> On (13/11/16 16:03), ronnyforberger(a)ronnyforberger.de wrote:
>> >I found out, that /var/run/sss needed mode 0755.
>> >
>> >But I still cannot use passwords.
>> >My /etc/pam.d/system looks like the following:
>> >
>> What do you meand by cannot use password?
>> How do you authenticate ssh (or login on tty)
>> Are you able to resolve user with "getent passwd" or "id"?
>I cannot login using password or use sudo using password. Neigher by ssh,
>login
>on tty.
>
>I can see the users through getent passwd and id.
>
>The debug log of pam_sssd.so says:
>
>
>Nov 13 17:31:59 macy sudo: in openpam_dispatch(): /usr/local/lib/pam_sss.so:
>pam_sm_authenticate(): authentication error
>Nov 13 17:32:01 macy su: in openpam_dispatch(): calling pam_sm_setcred() in
>/usr/local/lib/pam_sss.so
>Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE
>Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER
>Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY
>Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER
>Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST
>Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK
>Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_OLDAUTHTOK
>Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>Nov 13 17:32:01 macy su: in pam_set_data(): entering:
'pam_sss:fd_destructor'
>Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS
>Nov 13 17:32:01 macy su: in openpam_dispatch(): /usr/local/lib/pam_sss.so:
>pam_sm_setcred(): success
>
Those messages are from syslog.
You need to find a problem in sssd logs.
https://fedorahosted.org/sssd/wiki/Troubleshooting
Ok, here is the PAM log from
sssd:
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering
pam_cmd_acct_mgmt
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_ACCT_MGMT
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not
set
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/0
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type:
0
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
type: 0
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32816
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_check_user_search] (0x0100):
Requesting info for [rf(a)ronnyforberger.de]
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
request with the following data:
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_ACCT_MGMT
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
ronnyforberger.de
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/0
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type:
0
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
type: 0
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32816
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100):
received: [0][ronnyforberger.de]
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering
pam_cmd_setcred
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_SETCRED
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not
set
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/0
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type:
0
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
type: 0
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32816
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_check_user_search] (0x0100):
Requesting info for [rf(a)ronnyforberger.de]
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
request with the following data:
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_SETCRED
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
ronnyforberger.de
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/0
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type:
0
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
type: 0
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32816
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100):
received: [0][ronnyforberger.de]
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering
pam_cmd_authenticate
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not
set
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/0
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type:
0
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
type: 0
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32830
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_check_user_search] (0x0100):
Requesting info for [rf(a)ronnyforberger.de]
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
request with the following data:
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
ronnyforberger.de
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/0
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type:
0
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
type: 0
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32830
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100):
received: [9][ronnyforberger.de]
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering
pam_cmd_authenticate
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not
set
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/0
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type:
0
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
type: 0
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32830
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_check_user_search] (0x0100):
Requesting info for [rf(a)ronnyforberger.de]
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
request with the following data:
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
ronnyforberger.de
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/0
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type:
0
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
type: 0
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32830
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100):
received: [9][ronnyforberger.de]
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering
pam_cmd_setcred
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_SETCRED
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not
set
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/0
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type:
0
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
type: 0
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32816
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_check_user_search] (0x0100):
Requesting info for [rf(a)ronnyforberger.de]
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
request with the following data:
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_SETCRED
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
ronnyforberger.de
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/pts/0
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type:
0
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
type: 0
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32816
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100):
received: [0][ronnyforberger.de]
Best regards,
Ronny
LS
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
___________________________________
Ronny Forberger
ronnyforberger at ronnyforberger.de
PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
10:18 a.m.
New subject: I have no name prompt and no passwords recognized
On (14/11/16 17:09), Ronny Forberger wrote:
> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November
2016 um 11:36
> geschrieben:
>
>
> On (14/11/16 11:34), Ronny Forberger wrote:
> >> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November 2016 um
10:04
> >> geschrieben:
> >>
> >>
> >> On (13/11/16 16:03), ronnyforberger(a)ronnyforberger.de wrote:
> >> >I found out, that /var/run/sss needed mode 0755.
> >> >
> >> >But I still cannot use passwords.
> >> >My /etc/pam.d/system looks like the following:
> >> >
> >> What do you meand by cannot use password?
> >> How do you authenticate ssh (or login on tty)
> >> Are you able to resolve user with "getent passwd" or
"id"?
> >I cannot login using password or use sudo using password. Neigher by ssh,
> >login
> >on tty.
> >
> >I can see the users through getent passwd and id.
> >
> >The debug log of pam_sssd.so says:
> >
> >
> >Nov 13 17:31:59 macy sudo: in openpam_dispatch(): /usr/local/lib/pam_sss.so:
> >pam_sm_authenticate(): authentication error
> >Nov 13 17:32:01 macy su: in openpam_dispatch(): calling pam_sm_setcred() in
> >/usr/local/lib/pam_sss.so
> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE
> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER
> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY
> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER
> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST
> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK
> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_OLDAUTHTOK
> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
> >Nov 13 17:32:01 macy su: in pam_set_data(): entering:
'pam_sss:fd_destructor'
> >Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS
> >Nov 13 17:32:01 macy su: in openpam_dispatch(): /usr/local/lib/pam_sss.so:
> >pam_sm_setcred(): success
> >
> Those messages are from syslog.
> You need to find a problem in sssd logs.
> https://fedorahosted.org/sssd/wiki/Troubleshooting
Ok, here is the PAM log from sssd:
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering
pam_cmd_acct_mgmt
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_ACCT_MGMT
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not
set
There are just log messages from debug_level 0x0100.
I assume you set "debug_level = 0x0100" into pam section.
But 0x0100 is a bitmask style and does not contain debug
messages with lover debug level.
Could you sed "debug_level = 0x03f0" or non-bitmask version
"debug_level = 7"?
Please attach log sssd_pam.log and sssd_$domain.log files
as attachments to the mail.
LS
10:25 a.m.
New subject: I have no name prompt and no passwords recognized
Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November 2016
um 17:18
geschrieben:
On (14/11/16 17:09), Ronny Forberger wrote:
>> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November 2016 um 11:36
>> geschrieben:
>>
>>
>> On (14/11/16 11:34), Ronny Forberger wrote:
>> >> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November 2016 um
10:04
>> >> geschrieben:
>> >>
>> >>
>> >> On (13/11/16 16:03), ronnyforberger(a)ronnyforberger.de wrote:
>> >> >I found out, that /var/run/sss needed mode 0755.
>> >> >
>> >> >But I still cannot use passwords.
>> >> >My /etc/pam.d/system looks like the following:
>> >> >
>> >> What do you meand by cannot use password?
>> >> How do you authenticate ssh (or login on tty)
>> >> Are you able to resolve user with "getent passwd" or
"id"?
>> >I cannot login using password or use sudo using password. Neigher by ssh,
>> >login
>> >on tty.
>> >
>> >I can see the users through getent passwd and id.
>> >
>> >The debug log of pam_sssd.so says:
>> >
>> >
>> >Nov 13 17:31:59 macy sudo: in openpam_dispatch():
>> >/usr/local/lib/pam_sss.so:
>> >pam_sm_authenticate(): authentication error
>> >Nov 13 17:32:01 macy su: in openpam_dispatch(): calling pam_sm_setcred()
>> >in
>> >/usr/local/lib/pam_sss.so
>> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE
>> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER
>> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY
>> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER
>> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST
>> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK
>> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_OLDAUTHTOK
>> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >Nov 13 17:32:01 macy su: in pam_set_data(): entering:
>> >'pam_sss:fd_destructor'
>> >Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS
>> >Nov 13 17:32:01 macy su: in openpam_dispatch(): /usr/local/lib/pam_sss.so:
>> >pam_sm_setcred(): success
>> >
>> Those messages are from syslog.
>> You need to find a problem in sssd logs.
>> https://fedorahosted.org/sssd/wiki/Troubleshooting
>Ok, here is the PAM log from sssd:
>
>(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering
>pam_cmd_acct_mgmt
>(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
>PAM_ACCT_MGMT
>(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not
>set
There are just log messages from debug_level 0x0100.
I assume you set "debug_level = 0x0100" into pam section.
But 0x0100 is a bitmask style and does not contain debug
messages with lover debug level.
Could you sed "debug_level = 0x03f0" or non-bitmask version
"debug_level = 7"?
Please attach log sssd_pam.log and sssd_$domain.log files
as attachments to the mail.
Here is the log file.
Best regards,
Ronny
LS
___________________________________
Ronny Forberger
ronnyforberger at ronnyforberger.de
PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
3 p.m.
New subject: I have no name prompt and no passwords recognized
On (14/11/16 17:25), Ronny Forberger wrote:
> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November 2016 um 17:18
> geschrieben:
>
>
> On (14/11/16 17:09), Ronny Forberger wrote:
> >> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November 2016 um
11:36
> >> geschrieben:
> >>
> >>
> >> On (14/11/16 11:34), Ronny Forberger wrote:
> >> >> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November
2016 um 10:04
> >> >> geschrieben:
> >> >>
> >> >>
> >> >> On (13/11/16 16:03), ronnyforberger(a)ronnyforberger.de wrote:
> >> >> >I found out, that /var/run/sss needed mode 0755.
> >> >> >
> >> >> >But I still cannot use passwords.
> >> >> >My /etc/pam.d/system looks like the following:
> >> >> >
> >> >> What do you meand by cannot use password?
> >> >> How do you authenticate ssh (or login on tty)
> >> >> Are you able to resolve user with "getent passwd" or
"id"?
> >> >I cannot login using password or use sudo using password. Neigher by
ssh,
> >> >login
> >> >on tty.
> >> >
> >> >I can see the users through getent passwd and id.
> >> >
> >> >The debug log of pam_sssd.so says:
> >> >
> >> >
> >> >Nov 13 17:31:59 macy sudo: in openpam_dispatch():
> >> >/usr/local/lib/pam_sss.so:
> >> >pam_sm_authenticate(): authentication error
> >> >Nov 13 17:32:01 macy su: in openpam_dispatch(): calling
pam_sm_setcred()
> >> >in
> >> >/usr/local/lib/pam_sss.so
> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE
> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER
> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY
> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER
> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST
> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK
> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_OLDAUTHTOK
> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
> >> >Nov 13 17:32:01 macy su: in pam_set_data(): entering:
> >> >'pam_sss:fd_destructor'
> >> >Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS
> >> >Nov 13 17:32:01 macy su: in openpam_dispatch():
/usr/local/lib/pam_sss.so:
> >> >pam_sm_setcred(): success
> >> >
> >> Those messages are from syslog.
> >> You need to find a problem in sssd logs.
> >> https://fedorahosted.org/sssd/wiki/Troubleshooting
> >Ok, here is the PAM log from sssd:
> >
> >(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering
> >pam_cmd_acct_mgmt
> >(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
> >PAM_ACCT_MGMT
> >(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not
> >set
> There are just log messages from debug_level 0x0100.
>
> I assume you set "debug_level = 0x0100" into pam section.
> But 0x0100 is a bitmask style and does not contain debug
> messages with lover debug level.
>
> Could you sed "debug_level = 0x03f0" or non-bitmask version
> "debug_level = 7"?
>
> Please attach log sssd_pam.log and sssd_$domain.log files
> as attachments to the mail.
Here is the log file.
Best regards,
Ronny
>
> LS
>
___________________________________
Ronny Forberger
ronnyforberger at ronnyforberger.de
PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
(Mon Nov 14 17:23:02 2016) [sssd[pam]] [monitor_common_send_id]
(0x0100): Sending ID: (pam,1)
(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_names_init_from_args] (0x0100): Using re
[(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^(a)\\]+)$))].
(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq format
[%1$s@%2$s].
(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_fqnames_init] (0x0100): Found the pattern for
domain name
(Mon Nov 14 17:23:02 2016) [sssd[pam]] [dp_common_send_id] (0x0100): Sending ID to DP:
(1,PAM)
(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sysdb_domain_init_internal] (0x0200): DB File for
ronnyforberger.de: /var/db/sss/cache_ronnyforberger.de.ldb
(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'root' matched without domain, user is root
(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'root' matched without domain, user is root
(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
(Mon Nov 14 17:23:02 2016) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum file
descriptors set to [8192]
(Mon Nov 14 17:23:02 2016) [sssd[pam]] [id_callback] (0x0100): Got id ack and version (1)
from Monitor
(Mon Nov 14 17:23:02 2016) [sssd[pam]] [dp_id_callback] (0x0100): Got id ack and version
(1) from DP
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client
version [3].
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version
[3].
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering
pam_cmd_acct_mgmt
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'rf' matched without domain, user is rf
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info
for [rf(a)ronnyforberger.de]
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with
the following data:
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
ronnyforberger.de
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req
returned 0
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received:
[0][ronnyforberger.de]
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result
[0].
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client
version [3].
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version
[3].
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering
pam_cmd_setcred
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'rf' matched without domain, user is rf
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_SETCRED
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info
for [rf(a)ronnyforberger.de]
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with
the following data:
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_SETCRED
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
ronnyforberger.de
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req
returned 0
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received:
[0][ronnyforberger.de]
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result
[0].
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34
(Mon Nov 14 17:23:07 2016) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client
version [3].
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version
[3].
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering
pam_cmd_authenticate
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'rf' matched without domain, user is rf
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36187
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info
for [rf(a)ronnyforberger.de]
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with
the following data:
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
ronnyforberger.de
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36187
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req
returned 0
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received:
[9][ronnyforberger.de]
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result
[9].
authentication for "sudo" failed here. 9 is a return code from
PAM_AUTH_ERR.
I could also see the same problem with authentication for "dovecot" service
and the same user "rf". But I could not see any attempt for authentication
with ssh or login(tty). I would recommend to start testing with something
simpler rather then sudo.
BTW more details shoudl be available in domain log file
https://fedorahosted.org/sssd/wiki/Troubleshooting#TroubleshootingAuthent...
LS
3:05 a.m.
New subject: I have no name prompt and no passwords recognized
On Mon, Nov 14, 2016 at 10:00:27PM +0100, Lukas Slebodnik wrote:
On (14/11/16 17:25), Ronny Forberger wrote:
>
>
>> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November 2016 um 17:18
>> geschrieben:
>>
>>
>> On (14/11/16 17:09), Ronny Forberger wrote:
>> >> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November 2016 um
11:36
>> >> geschrieben:
>> >>
>> >>
>> >> On (14/11/16 11:34), Ronny Forberger wrote:
>> >> >> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14.
November 2016 um 10:04
>> >> >> geschrieben:
>> >> >>
>> >> >>
>> >> >> On (13/11/16 16:03), ronnyforberger(a)ronnyforberger.de wrote:
>> >> >> >I found out, that /var/run/sss needed mode 0755.
>> >> >> >
>> >> >> >But I still cannot use passwords.
>> >> >> >My /etc/pam.d/system looks like the following:
>> >> >> >
>> >> >> What do you meand by cannot use password?
>> >> >> How do you authenticate ssh (or login on tty)
>> >> >> Are you able to resolve user with "getent passwd" or
"id"?
>> >> >I cannot login using password or use sudo using password. Neigher
by ssh,
>> >> >login
>> >> >on tty.
>> >> >
>> >> >I can see the users through getent passwd and id.
>> >> >
>> >> >The debug log of pam_sssd.so says:
>> >> >
>> >> >
>> >> >Nov 13 17:31:59 macy sudo: in openpam_dispatch():
>> >> >/usr/local/lib/pam_sss.so:
>> >> >pam_sm_authenticate(): authentication error
>> >> >Nov 13 17:32:01 macy su: in openpam_dispatch(): calling
pam_sm_setcred()
>> >> >in
>> >> >/usr/local/lib/pam_sss.so
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering:
PAM_OLDAUTHTOK
>> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS
>> >> >Nov 13 17:32:01 macy su: in pam_set_data(): entering:
>> >> >'pam_sss:fd_destructor'
>> >> >Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS
>> >> >Nov 13 17:32:01 macy su: in openpam_dispatch():
/usr/local/lib/pam_sss.so:
>> >> >pam_sm_setcred(): success
>> >> >
>> >> Those messages are from syslog.
>> >> You need to find a problem in sssd logs.
>> >> https://fedorahosted.org/sssd/wiki/Troubleshooting
>> >Ok, here is the PAM log from sssd:
>> >
>> >(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100):
entering
>> >pam_cmd_acct_mgmt
>> >(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
>> >PAM_ACCT_MGMT
>> >(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
not
>> >set
>> There are just log messages from debug_level 0x0100.
>>
>> I assume you set "debug_level = 0x0100" into pam section.
>> But 0x0100 is a bitmask style and does not contain debug
>> messages with lover debug level.
>>
>> Could you sed "debug_level = 0x03f0" or non-bitmask version
>> "debug_level = 7"?
>>
>> Please attach log sssd_pam.log and sssd_$domain.log files
>> as attachments to the mail.
>Here is the log file.
>
>Best regards,
>Ronny
>>
>> LS
>>
>___________________________________
>Ronny Forberger
>ronnyforberger at ronnyforberger.de
>PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [monitor_common_send_id] (0x0100): Sending ID:
(pam,1)
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_names_init_from_args] (0x0100): Using re
[(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^(a)\\]+)$))].
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq format
[%1$s@%2$s].
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_fqnames_init] (0x0100): Found the pattern
for domain name
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [dp_common_send_id] (0x0100): Sending ID to
DP: (1,PAM)
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sysdb_domain_init_internal] (0x0200): DB File
for ronnyforberger.de: /var/db/sss/cache_ronnyforberger.de.ldb
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'root' matched without domain, user is root
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'root' matched without domain, user is root
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum
file descriptors set to [8192]
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [id_callback] (0x0100): Got id ack and version
(1) from Monitor
>(Mon Nov 14 17:23:02 2016) [sssd[pam]] [dp_id_callback] (0x0100): Got id ack and
version (1) from DP
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received
client version [3].
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered
version [3].
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering
pam_cmd_acct_mgmt
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'rf' matched without domain, user is rf
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_ACCT_MGMT
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting
info for [rf(a)ronnyforberger.de]
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request
with the following data:
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_ACCT_MGMT
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
ronnyforberger.de
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req
returned 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received:
[0][ronnyforberger.de]
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with
result [0].
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received
client version [3].
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered
version [3].
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering
pam_cmd_setcred
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'rf' matched without domain, user is rf
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_SETCRED
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting
info for [rf(a)ronnyforberger.de]
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request
with the following data:
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_SETCRED
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
ronnyforberger.de
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req
returned 0
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received:
[0][ronnyforberger.de]
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with
result [0].
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34
>(Mon Nov 14 17:23:07 2016) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received
client version [3].
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered
version [3].
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering
pam_cmd_authenticate
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'rf' matched without domain, user is rf
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36187
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting
info for [rf(a)ronnyforberger.de]
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request
with the following data:
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
ronnyforberger.de
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
>(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
"authtok type: 0" means that no password was sent your should see a '1'
here for password authentication.
Have you been prompted for a password? Depending on where pam_sss is
used in the PAM configuration you have to use different option. E.g. if
there is a PAM module called before pam_sss which prompts for a password
you have to use the 'use_first_pass' option to tell pam_sss to not
prompt for a password. If pam_sss is the first module which prompts for
a password you should add 'forward_pass' to tell pam_sss to keep the
password in the PAM data so that other PAM modules can use it as well
(if needed). Please see man pam_sss for details.
HTH
bye,
Sumit
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
type: 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36187
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received:
[9][ronnyforberger.de]
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called
with result [9].
> authentication for "sudo" failed here. 9 is a return code from
PAM_AUTH_ERR.
>
> I could also see the same problem with authentication for "dovecot"
service
> and the same user "rf". But I could not see any attempt for authentication
> with ssh or login(tty). I would recommend to start testing with something
> simpler rather then sudo.
>
> BTW more details shoudl be available in domain log file
>
https://fedorahosted.org/sssd/wiki/Troubleshooting#TroubleshootingAuthent...
>
> LS
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
5:49 a.m.
New subject: I have no name prompt and no passwords recognized
Sumit Bose <sbose(a)redhat.com> hat am 15. November 2016 um 10:05
geschrieben:
On Mon, Nov 14, 2016 at 10:00:27PM +0100, Lukas Slebodnik wrote:
> On (14/11/16 17:25), Ronny Forberger wrote:
> >
> >
> >> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November 2016 um
17:18
> >> geschrieben:
> >>
> >>
> >> On (14/11/16 17:09), Ronny Forberger wrote:
> >> >> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14. November
2016 um
> >> >> 11:36
> >> >> geschrieben:
> >> >>
> >> >>
> >> >> On (14/11/16 11:34), Ronny Forberger wrote:
> >> >> >> Lukas Slebodnik <lslebodn(a)redhat.com> hat am 14.
November 2016 um
> >> >> >> 10:04
> >> >> >> geschrieben:
> >> >> >>
> >> >> >>
> >> >> >> On (13/11/16 16:03), ronnyforberger(a)ronnyforberger.de
wrote:
> >> >> >> >I found out, that /var/run/sss needed mode 0755.
> >> >> >> >
> >> >> >> >But I still cannot use passwords.
> >> >> >> >My /etc/pam.d/system looks like the following:
> >> >> >> >
> >> >> >> What do you meand by cannot use password?
> >> >> >> How do you authenticate ssh (or login on tty)
> >> >> >> Are you able to resolve user with "getent
passwd" or "id"?
> >> >> >I cannot login using password or use sudo using password.
Neigher by
> >> >> >ssh,
> >> >> >login
> >> >> >on tty.
> >> >> >
> >> >> >I can see the users through getent passwd and id.
> >> >> >
> >> >> >The debug log of pam_sssd.so says:
> >> >> >
> >> >> >
> >> >> >Nov 13 17:31:59 macy sudo: in openpam_dispatch():
> >> >> >/usr/local/lib/pam_sss.so:
> >> >> >pam_sm_authenticate(): authentication error
> >> >> >Nov 13 17:32:01 macy su: in openpam_dispatch(): calling
> >> >> >pam_sm_setcred()
> >> >> >in
> >> >> >/usr/local/lib/pam_sss.so
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering:
PAM_SERVICE
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning
PAM_SUCCESS
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering:
PAM_USER
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning
PAM_SUCCESS
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning
PAM_SUCCESS
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering:
PAM_RUSER
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning
PAM_SUCCESS
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering:
PAM_RHOST
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning
PAM_SUCCESS
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering:
PAM_AUTHTOK
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning
PAM_SUCCESS
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): entering:
PAM_OLDAUTHTOK
> >> >> >Nov 13 17:32:01 macy su: in pam_get_item(): returning
PAM_SUCCESS
> >> >> >Nov 13 17:32:01 macy su: in pam_set_data(): entering:
> >> >> >'pam_sss:fd_destructor'
> >> >> >Nov 13 17:32:01 macy su: in pam_set_data(): returning
PAM_SUCCESS
> >> >> >Nov 13 17:32:01 macy su: in openpam_dispatch():
> >> >> >/usr/local/lib/pam_sss.so:
> >> >> >pam_sm_setcred(): success
> >> >> >
> >> >> Those messages are from syslog.
> >> >> You need to find a problem in sssd logs.
> >> >> https://fedorahosted.org/sssd/wiki/Troubleshooting
> >> >Ok, here is the PAM log from sssd:
> >> >
> >> >(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100):
> >> >entering
> >> >pam_cmd_acct_mgmt
> >> >(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100):
> >> >command:
> >> >PAM_ACCT_MGMT
> >> >(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100):
> >> >domain: not
> >> >set
> >> There are just log messages from debug_level 0x0100.
> >>
> >> I assume you set "debug_level = 0x0100" into pam section.
> >> But 0x0100 is a bitmask style and does not contain debug
> >> messages with lover debug level.
> >>
> >> Could you sed "debug_level = 0x03f0" or non-bitmask version
> >> "debug_level = 7"?
> >>
> >> Please attach log sssd_pam.log and sssd_$domain.log files
> >> as attachments to the mail.
> >Here is the log file.
> >
> >Best regards,
> >Ronny
> >>
> >> LS
> >>
> >___________________________________
> >Ronny Forberger
> >ronnyforberger at ronnyforberger.de
> >PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
>
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [monitor_common_send_id] (0x0100):
> >Sending ID: (pam,1)
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_names_init_from_args] (0x0100):
> >Using re
>
>[(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^(a)\\]+)$))].
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_fqnames_init] (0x0100): Using
> >fq format [%1$s@%2$s].
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_fqnames_init] (0x0100): Found
> >the pattern for domain name
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [dp_common_send_id] (0x0100):
> >Sending ID to DP: (1,PAM)
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sysdb_domain_init_internal]
> >(0x0200): DB File for ronnyforberger.de:
> >/var/db/sss/cache_ronnyforberger.de.ldb
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): name 'root' matched without domain, user is root
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): using default domain [(null)]
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): name 'root' matched without domain, user is root
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): using default domain [(null)]
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [responder_set_fd_limit] (0x0100):
> >Maximum file descriptors set to [8192]
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [id_callback] (0x0100): Got id ack
> >and version (1) from Monitor
> >(Mon Nov 14 17:23:02 2016) [sssd[pam]] [dp_id_callback] (0x0100): Got id
> >ack and version (1) from DP
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> >Received client version [3].
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> >Offered version [3].
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100):
> >entering pam_cmd_acct_mgmt
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): name 'rf' matched without domain, user is rf
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): using default domain [(null)]
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
> >PAM_ACCT_MGMT
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
> >not set
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service:
> >su
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
> >/dev/pts/0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> >root
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> >not set
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok
> >type: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100):
> >newauthtok type: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
> >36168
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_check_user_search] (0x0100):
> >Requesting info for [rf(a)ronnyforberger.de]
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
> >request with the following data:
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
> >PAM_ACCT_MGMT
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
> >ronnyforberger.de
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service:
> >su
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
> >/dev/pts/0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> >root
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> >not set
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok
> >type: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100):
> >newauthtok type: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
> >36168
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> >pam_dp_send_req returned 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100):
> >received: [0][ronnyforberger.de]
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> >called with result [0].
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> >Received client version [3].
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> >Offered version [3].
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering
> >pam_cmd_setcred
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): name 'rf' matched without domain, user is rf
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): using default domain [(null)]
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
> >PAM_SETCRED
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
> >not set
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service:
> >su
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
> >/dev/pts/0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> >root
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> >not set
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok
> >type: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100):
> >newauthtok type: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
> >36168
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_check_user_search] (0x0100):
> >Requesting info for [rf(a)ronnyforberger.de]
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
> >request with the following data:
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
> >PAM_SETCRED
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
> >ronnyforberger.de
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service:
> >su
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
> >/dev/pts/0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> >root
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> >not set
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok
> >type: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100):
> >newauthtok type: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
> >36168
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> >pam_dp_send_req returned 0
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100):
> >received: [0][ronnyforberger.de]
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> >called with result [0].
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34
> >(Mon Nov 14 17:23:07 2016) [sssd[pam]] [client_recv] (0x0200): Client
> >disconnected!
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> >Received client version [3].
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> >Offered version [3].
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_cmd_authenticate] (0x0100):
> >entering pam_cmd_authenticate
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): name 'rf' matched without domain, user is rf
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_parse_name_for_domains]
> >(0x0200): using default domain [(null)]
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
> >PAM_AUTHENTICATE
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
> >not set
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): service:
> >sudo
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
> >/dev/pts/0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> >not set
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok
> >type: 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100):
> >newauthtok type: 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
> >36187
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_check_user_search] (0x0100):
> >Requesting info for [rf(a)ronnyforberger.de]
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
> >request with the following data:
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
> >PAM_AUTHENTICATE
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
> >ronnyforberger.de
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): service:
> >sudo
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): tty:
> >/dev/pts/0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> >not set
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok
> >type: 0
"authtok type: 0" means that no password was sent your should see a
'1'
here for password authentication.
Have you been prompted for a password? Depending on where pam_sss is
used in the PAM configuration you have to use different option. E.g. if
there is a PAM module called before pam_sss which prompts for a password
you have to use the 'use_first_pass' option to tell pam_sss to not
prompt for a password. If pam_sss is the first module which prompts for
a password you should add 'forward_pass' to tell pam_sss to keep the
password in the PAM data so that other PAM modules can use it as well
(if needed). Please see man pam_sss for details.
It was the permissions on /etc/krb5.conf and /usr/local/etc/krb5.conf.
Thanks.
Best regards,
Ronny
HTH
bye,
Sumit
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100):
> >newauthtok type: 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
> >36187
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> >pam_dp_send_req returned 0
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100):
> >received: [9][ronnyforberger.de]
> >(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> >called with result [9].
> authentication for "sudo" failed here. 9 is a return code from
PAM_AUTH_ERR.
>
> I could also see the same problem with authentication for "dovecot"
service
> and the same user "rf". But I could not see any attempt for
authentication
> with ssh or login(tty). I would recommend to start testing with something
> simpler rather then sudo.
>
> BTW more details shoudl be available in domain log file
>
https://fedorahosted.org/sssd/wiki/Troubleshooting#TroubleshootingAuthent...
>
> LS
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
___________________________________
Ronny Forberger
ronnyforberger at ronnyforberger.de
PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
2716
days inactive
2718
days old
sssd-users@lists.fedorahosted.org
11 comments
3 participants
participants (3)
-
Lukas Slebodnik -
Ronny Forberger -
Sumit Bose