Hi, I am using SSSD and FreeBSD to authenticate against samba4. I used this howto setting all up: http://serverfault.com/questions/599200/how-to-integrate-active-directory-wi...
But when I want to logon using password, i.e. via dovecot I get wrong password. Neigher can I use sudo typing the correct samba4 password.
Also I get a prompt [I have no name!@HOSTNAME] and my files, which I chowned & chgrped to the samba user and group only show IDs as owner.
I have already asked on the FreeBSD maillinglist, but they couldn't help me.
Any ideas how to solve this? Can this maybe be a permission problem with some file for sssd / NSS which an unprivileged user cannot read?
I have set UNIX attributes on the user I want to logon with.
Best regards, Ronny Forberger
I found out, that /var/run/sss needed mode 0755.
But I still cannot use passwords. My /etc/pam.d/system looks like the following:
# auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_sss.so auth required pam_unix.so no_warn try_first_pass nullok
# account #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so account required /usr/local/lib/pam_sss.so ignore_unknown_user
# session #session optional pam_ssh.so want_agent session required pam_lastlog.so no_fail session optional /usr/local/lib/pam_sss.so
# password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_sss.so use_authtok password required pam_unix.so no_warn try_first_pass
What am I doing wrong?
Best regards, Ronny
On Sun, Nov 13, 2016 at 04:03:06PM -0000, ronnyforberger@ronnyforberger.de wrote:
I found out, that /var/run/sss needed mode 0755.
But I still cannot use passwords. My /etc/pam.d/system looks like the following:
# auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_sss.so auth required pam_unix.so no_warn try_first_pass nullok
# account #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so account required /usr/local/lib/pam_sss.so ignore_unknown_user
# session #session optional pam_ssh.so want_agent session required pam_lastlog.so no_fail session optional /usr/local/lib/pam_sss.so
# password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_sss.so use_authtok password required pam_unix.so no_warn try_first_pass
What am I doing wrong?
Please enable debugging (see https://fedorahosted.org/sssd/wiki/Troubleshooting for details) and check the logs files, especially sssd_pam.log, the domain log and krb5_child.log.
HTH
bye, Sumit
Best regards, Ronny _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On (13/11/16 16:03), ronnyforberger@ronnyforberger.de wrote:
I found out, that /var/run/sss needed mode 0755.
But I still cannot use passwords. My /etc/pam.d/system looks like the following:
What do you meand by cannot use password? How do you authenticate ssh (or login on tty) Are you able to resolve user with "getent passwd" or "id"?
# auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_sss.so auth required pam_unix.so no_warn try_first_pass nullok
# account #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so account required /usr/local/lib/pam_sss.so ignore_unknown_user
There should be also enabled ignore_authinfo_unavail
# session #session optional pam_ssh.so want_agent session required pam_lastlog.so no_fail session optional /usr/local/lib/pam_sss.so
# password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_sss.so use_authtok password required pam_unix.so no_warn try_first_pass
BTW here is a link to our troubleshooting wiki https://fedorahosted.org/sssd/wiki/Troubleshooting
LS
Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um 10:04 geschrieben:
On (13/11/16 16:03), ronnyforberger@ronnyforberger.de wrote:
I found out, that /var/run/sss needed mode 0755.
But I still cannot use passwords. My /etc/pam.d/system looks like the following:
What do you meand by cannot use password? How do you authenticate ssh (or login on tty) Are you able to resolve user with "getent passwd" or "id"?
I cannot login using password or use sudo using password. Neigher by ssh, login on tty.
I can see the users through getent passwd and id.
The debug log of pam_sssd.so says:
Nov 13 17:31:59 macy sudo: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_authenticate(): authentication error Nov 13 17:32:01 macy su: in openpam_dispatch(): calling pam_sm_setcred() in /usr/local/lib/pam_sss.so Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_OLDAUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_set_data(): entering: 'pam_sss:fd_destructor' Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_setcred(): success
What can be the problem?
Best regards,
Ronny
# auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_sss.so auth required pam_unix.so no_warn try_first_pass nullok
# account #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so account required /usr/local/lib/pam_sss.so ignore_unknown_user
There should be also enabled ignore_authinfo_unavail
# session #session optional pam_ssh.so want_agent session required pam_lastlog.so no_fail session optional /usr/local/lib/pam_sss.so
# password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_sss.so use_authtok password required pam_unix.so no_warn try_first_pass
BTW here is a link to our troubleshooting wiki https://fedorahosted.org/sssd/wiki/Troubleshooting
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
___________________________________ Ronny Forberger ronnyforberger at ronnyforberger.de PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
On (14/11/16 11:34), Ronny Forberger wrote:
Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um 10:04 geschrieben:
On (13/11/16 16:03), ronnyforberger@ronnyforberger.de wrote:
I found out, that /var/run/sss needed mode 0755.
But I still cannot use passwords. My /etc/pam.d/system looks like the following:
What do you meand by cannot use password? How do you authenticate ssh (or login on tty) Are you able to resolve user with "getent passwd" or "id"?
I cannot login using password or use sudo using password. Neigher by ssh, login on tty.
I can see the users through getent passwd and id.
The debug log of pam_sssd.so says:
Nov 13 17:31:59 macy sudo: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_authenticate(): authentication error Nov 13 17:32:01 macy su: in openpam_dispatch(): calling pam_sm_setcred() in /usr/local/lib/pam_sss.so Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_OLDAUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_set_data(): entering: 'pam_sss:fd_destructor' Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_setcred(): success
Those messages are from syslog. You need to find a problem in sssd logs. https://fedorahosted.org/sssd/wiki/Troubleshooting
LS
Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um 11:36 geschrieben:
On (14/11/16 11:34), Ronny Forberger wrote:
Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um 10:04 geschrieben:
On (13/11/16 16:03), ronnyforberger@ronnyforberger.de wrote:
I found out, that /var/run/sss needed mode 0755.
But I still cannot use passwords. My /etc/pam.d/system looks like the following:
What do you meand by cannot use password? How do you authenticate ssh (or login on tty) Are you able to resolve user with "getent passwd" or "id"?
I cannot login using password or use sudo using password. Neigher by ssh, login on tty.
I can see the users through getent passwd and id.
The debug log of pam_sssd.so says:
Nov 13 17:31:59 macy sudo: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_authenticate(): authentication error Nov 13 17:32:01 macy su: in openpam_dispatch(): calling pam_sm_setcred() in /usr/local/lib/pam_sss.so Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_OLDAUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_set_data(): entering: 'pam_sss:fd_destructor' Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_setcred(): success
Those messages are from syslog. You need to find a problem in sssd logs. https://fedorahosted.org/sssd/wiki/Troubleshooting
Ok, here is the PAM log from sssd:
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32816 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [rf@ronnyforberger.de] (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: ronnyforberger.de (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32816 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][ronnyforberger.de] (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering pam_cmd_setcred (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_SETCRED (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32816 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [rf@ronnyforberger.de] (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_SETCRED (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: ronnyforberger.de (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32816 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][ronnyforberger.de] (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32830 (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [rf@ronnyforberger.de] (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: ronnyforberger.de (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32830 (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Nov 14 17:06:43 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [9][ronnyforberger.de] (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32830 (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [rf@ronnyforberger.de] (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: ronnyforberger.de (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32830 (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Nov 14 17:06:46 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [9][ronnyforberger.de] (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering pam_cmd_setcred (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_SETCRED (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32816 (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [rf@ronnyforberger.de] (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_SETCRED (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: ronnyforberger.de (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 32816 (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Nov 14 17:06:49 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][ronnyforberger.de]
Best regards,
Ronny
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
___________________________________ Ronny Forberger ronnyforberger at ronnyforberger.de PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
On (14/11/16 17:09), Ronny Forberger wrote:
Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um 11:36 geschrieben:
On (14/11/16 11:34), Ronny Forberger wrote:
Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um 10:04 geschrieben:
On (13/11/16 16:03), ronnyforberger@ronnyforberger.de wrote:
I found out, that /var/run/sss needed mode 0755.
But I still cannot use passwords. My /etc/pam.d/system looks like the following:
What do you meand by cannot use password? How do you authenticate ssh (or login on tty) Are you able to resolve user with "getent passwd" or "id"?
I cannot login using password or use sudo using password. Neigher by ssh, login on tty.
I can see the users through getent passwd and id.
The debug log of pam_sssd.so says:
Nov 13 17:31:59 macy sudo: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_authenticate(): authentication error Nov 13 17:32:01 macy su: in openpam_dispatch(): calling pam_sm_setcred() in /usr/local/lib/pam_sss.so Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_OLDAUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_set_data(): entering: 'pam_sss:fd_destructor' Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_setcred(): success
Those messages are from syslog. You need to find a problem in sssd logs. https://fedorahosted.org/sssd/wiki/Troubleshooting
Ok, here is the PAM log from sssd:
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
There are just log messages from debug_level 0x0100.
I assume you set "debug_level = 0x0100" into pam section. But 0x0100 is a bitmask style and does not contain debug messages with lover debug level.
Could you sed "debug_level = 0x03f0" or non-bitmask version "debug_level = 7"?
Please attach log sssd_pam.log and sssd_$domain.log files as attachments to the mail.
LS
Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um 17:18 geschrieben:
On (14/11/16 17:09), Ronny Forberger wrote:
Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um 11:36 geschrieben:
On (14/11/16 11:34), Ronny Forberger wrote:
Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um 10:04 geschrieben:
On (13/11/16 16:03), ronnyforberger@ronnyforberger.de wrote:
I found out, that /var/run/sss needed mode 0755.
But I still cannot use passwords. My /etc/pam.d/system looks like the following:
What do you meand by cannot use password? How do you authenticate ssh (or login on tty) Are you able to resolve user with "getent passwd" or "id"?
I cannot login using password or use sudo using password. Neigher by ssh, login on tty.
I can see the users through getent passwd and id.
The debug log of pam_sssd.so says:
Nov 13 17:31:59 macy sudo: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_authenticate(): authentication error Nov 13 17:32:01 macy su: in openpam_dispatch(): calling pam_sm_setcred() in /usr/local/lib/pam_sss.so Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_OLDAUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_set_data(): entering: 'pam_sss:fd_destructor' Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_setcred(): success
Those messages are from syslog. You need to find a problem in sssd logs. https://fedorahosted.org/sssd/wiki/Troubleshooting
Ok, here is the PAM log from sssd:
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
There are just log messages from debug_level 0x0100.
I assume you set "debug_level = 0x0100" into pam section. But 0x0100 is a bitmask style and does not contain debug messages with lover debug level.
Could you sed "debug_level = 0x03f0" or non-bitmask version "debug_level = 7"?
Please attach log sssd_pam.log and sssd_$domain.log files as attachments to the mail.
Here is the log file.
Best regards, Ronny
LS
___________________________________ Ronny Forberger ronnyforberger at ronnyforberger.de PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
On (14/11/16 17:25), Ronny Forberger wrote:
Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um 17:18 geschrieben:
On (14/11/16 17:09), Ronny Forberger wrote:
Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um 11:36 geschrieben:
On (14/11/16 11:34), Ronny Forberger wrote:
Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um 10:04 geschrieben:
On (13/11/16 16:03), ronnyforberger@ronnyforberger.de wrote: >I found out, that /var/run/sss needed mode 0755. > >But I still cannot use passwords. >My /etc/pam.d/system looks like the following: > What do you meand by cannot use password? How do you authenticate ssh (or login on tty) Are you able to resolve user with "getent passwd" or "id"?
I cannot login using password or use sudo using password. Neigher by ssh, login on tty.
I can see the users through getent passwd and id.
The debug log of pam_sssd.so says:
Nov 13 17:31:59 macy sudo: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_authenticate(): authentication error Nov 13 17:32:01 macy su: in openpam_dispatch(): calling pam_sm_setcred() in /usr/local/lib/pam_sss.so Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_OLDAUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_set_data(): entering: 'pam_sss:fd_destructor' Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_setcred(): success
Those messages are from syslog. You need to find a problem in sssd logs. https://fedorahosted.org/sssd/wiki/Troubleshooting
Ok, here is the PAM log from sssd:
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
There are just log messages from debug_level 0x0100.
I assume you set "debug_level = 0x0100" into pam section. But 0x0100 is a bitmask style and does not contain debug messages with lover debug level.
Could you sed "debug_level = 0x03f0" or non-bitmask version "debug_level = 7"?
Please attach log sssd_pam.log and sssd_$domain.log files as attachments to the mail.
Here is the log file.
Best regards, Ronny
LS
Ronny Forberger ronnyforberger at ronnyforberger.de PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
(Mon Nov 14 17:23:02 2016) [sssd[pam]] [monitor_common_send_id] (0x0100): Sending ID: (pam,1) (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\]+)\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\]+)$))]. (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_fqnames_init] (0x0100): Found the pattern for domain name (Mon Nov 14 17:23:02 2016) [sssd[pam]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,PAM) (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sysdb_domain_init_internal] (0x0200): DB File for ronnyforberger.de: /var/db/sss/cache_ronnyforberger.de.ldb (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Nov 14 17:23:02 2016) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Mon Nov 14 17:23:02 2016) [sssd[pam]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Nov 14 17:23:02 2016) [sssd[pam]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'rf' matched without domain, user is rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [rf@ronnyforberger.de] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: ronnyforberger.de (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][ronnyforberger.de] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering pam_cmd_setcred (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'rf' matched without domain, user is rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_SETCRED (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [rf@ronnyforberger.de] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_SETCRED (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: ronnyforberger.de (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][ronnyforberger.de] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'rf' matched without domain, user is rf (Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36187 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [rf@ronnyforberger.de] (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: ronnyforberger.de (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36187 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [9][ronnyforberger.de] (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [9].
authentication for "sudo" failed here. 9 is a return code from PAM_AUTH_ERR.
I could also see the same problem with authentication for "dovecot" service and the same user "rf". But I could not see any attempt for authentication with ssh or login(tty). I would recommend to start testing with something simpler rather then sudo.
BTW more details shoudl be available in domain log file https://fedorahosted.org/sssd/wiki/Troubleshooting#TroubleshootingAuthentica...
LS
On Mon, Nov 14, 2016 at 10:00:27PM +0100, Lukas Slebodnik wrote:
On (14/11/16 17:25), Ronny Forberger wrote:
Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um 17:18 geschrieben:
On (14/11/16 17:09), Ronny Forberger wrote:
Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um 11:36 geschrieben:
On (14/11/16 11:34), Ronny Forberger wrote:
> Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um 10:04 > geschrieben: > > > On (13/11/16 16:03), ronnyforberger@ronnyforberger.de wrote: > >I found out, that /var/run/sss needed mode 0755. > > > >But I still cannot use passwords. > >My /etc/pam.d/system looks like the following: > > > What do you meand by cannot use password? > How do you authenticate ssh (or login on tty) > Are you able to resolve user with "getent passwd" or "id"? I cannot login using password or use sudo using password. Neigher by ssh, login on tty.
I can see the users through getent passwd and id.
The debug log of pam_sssd.so says:
Nov 13 17:31:59 macy sudo: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_authenticate(): authentication error Nov 13 17:32:01 macy su: in openpam_dispatch(): calling pam_sm_setcred() in /usr/local/lib/pam_sss.so Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_OLDAUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_set_data(): entering: 'pam_sss:fd_destructor' Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_setcred(): success
Those messages are from syslog. You need to find a problem in sssd logs. https://fedorahosted.org/sssd/wiki/Troubleshooting
Ok, here is the PAM log from sssd:
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
There are just log messages from debug_level 0x0100.
I assume you set "debug_level = 0x0100" into pam section. But 0x0100 is a bitmask style and does not contain debug messages with lover debug level.
Could you sed "debug_level = 0x03f0" or non-bitmask version "debug_level = 7"?
Please attach log sssd_pam.log and sssd_$domain.log files as attachments to the mail.
Here is the log file.
Best regards, Ronny
LS
Ronny Forberger ronnyforberger at ronnyforberger.de PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
(Mon Nov 14 17:23:02 2016) [sssd[pam]] [monitor_common_send_id] (0x0100): Sending ID: (pam,1) (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\]+)\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\]+)$))]. (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_fqnames_init] (0x0100): Found the pattern for domain name (Mon Nov 14 17:23:02 2016) [sssd[pam]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,PAM) (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sysdb_domain_init_internal] (0x0200): DB File for ronnyforberger.de: /var/db/sss/cache_ronnyforberger.de.ldb (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Nov 14 17:23:02 2016) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Mon Nov 14 17:23:02 2016) [sssd[pam]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Nov 14 17:23:02 2016) [sssd[pam]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'rf' matched without domain, user is rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [rf@ronnyforberger.de] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: ronnyforberger.de (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][ronnyforberger.de] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering pam_cmd_setcred (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'rf' matched without domain, user is rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_SETCRED (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [rf@ronnyforberger.de] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_SETCRED (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: ronnyforberger.de (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][ronnyforberger.de] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'rf' matched without domain, user is rf (Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36187 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [rf@ronnyforberger.de] (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: ronnyforberger.de (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
"authtok type: 0" means that no password was sent your should see a '1' here for password authentication.
Have you been prompted for a password? Depending on where pam_sss is used in the PAM configuration you have to use different option. E.g. if there is a PAM module called before pam_sss which prompts for a password you have to use the 'use_first_pass' option to tell pam_sss to not prompt for a password. If pam_sss is the first module which prompts for a password you should add 'forward_pass' to tell pam_sss to keep the password in the PAM data so that other PAM modules can use it as well (if needed). Please see man pam_sss for details.
HTH
bye, Sumit
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36187 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [9][ronnyforberger.de] (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [9].
authentication for "sudo" failed here. 9 is a return code from PAM_AUTH_ERR.
I could also see the same problem with authentication for "dovecot" service and the same user "rf". But I could not see any attempt for authentication with ssh or login(tty). I would recommend to start testing with something simpler rather then sudo.
BTW more details shoudl be available in domain log file https://fedorahosted.org/sssd/wiki/Troubleshooting#TroubleshootingAuthentica...
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Sumit Bose sbose@redhat.com hat am 15. November 2016 um 10:05 geschrieben:
On Mon, Nov 14, 2016 at 10:00:27PM +0100, Lukas Slebodnik wrote:
On (14/11/16 17:25), Ronny Forberger wrote:
Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um 17:18 geschrieben:
On (14/11/16 17:09), Ronny Forberger wrote:
Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um 11:36 geschrieben:
On (14/11/16 11:34), Ronny Forberger wrote: >> Lukas Slebodnik lslebodn@redhat.com hat am 14. November 2016 um >> 10:04 >> geschrieben: >> >> >> On (13/11/16 16:03), ronnyforberger@ronnyforberger.de wrote: >> >I found out, that /var/run/sss needed mode 0755. >> > >> >But I still cannot use passwords. >> >My /etc/pam.d/system looks like the following: >> > >> What do you meand by cannot use password? >> How do you authenticate ssh (or login on tty) >> Are you able to resolve user with "getent passwd" or "id"? >I cannot login using password or use sudo using password. Neigher by >ssh, >login >on tty. > >I can see the users through getent passwd and id. > >The debug log of pam_sssd.so says: > > >Nov 13 17:31:59 macy sudo: in openpam_dispatch(): >/usr/local/lib/pam_sss.so: >pam_sm_authenticate(): authentication error >Nov 13 17:32:01 macy su: in openpam_dispatch(): calling >pam_sm_setcred() >in >/usr/local/lib/pam_sss.so >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS >Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_OLDAUTHTOK >Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS >Nov 13 17:32:01 macy su: in pam_set_data(): entering: >'pam_sss:fd_destructor' >Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS >Nov 13 17:32:01 macy su: in openpam_dispatch(): >/usr/local/lib/pam_sss.so: >pam_sm_setcred(): success > Those messages are from syslog. You need to find a problem in sssd logs. https://fedorahosted.org/sssd/wiki/Troubleshooting
Ok, here is the PAM log from sssd:
(Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Nov 14 17:06:41 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
There are just log messages from debug_level 0x0100.
I assume you set "debug_level = 0x0100" into pam section. But 0x0100 is a bitmask style and does not contain debug messages with lover debug level.
Could you sed "debug_level = 0x03f0" or non-bitmask version "debug_level = 7"?
Please attach log sssd_pam.log and sssd_$domain.log files as attachments to the mail.
Here is the log file.
Best regards, Ronny
LS
Ronny Forberger ronnyforberger at ronnyforberger.de PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
(Mon Nov 14 17:23:02 2016) [sssd[pam]] [monitor_common_send_id] (0x0100): Sending ID: (pam,1) (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\]+)\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\]+)$))]. (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_fqnames_init] (0x0100): Found the pattern for domain name (Mon Nov 14 17:23:02 2016) [sssd[pam]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,PAM) (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sysdb_domain_init_internal] (0x0200): DB File for ronnyforberger.de: /var/db/sss/cache_ronnyforberger.de.ldb (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Nov 14 17:23:02 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Nov 14 17:23:02 2016) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Mon Nov 14 17:23:02 2016) [sssd[pam]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Nov 14 17:23:02 2016) [sssd[pam]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'rf' matched without domain, user is rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [rf@ronnyforberger.de] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: ronnyforberger.de (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][ronnyforberger.de] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering pam_cmd_setcred (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'rf' matched without domain, user is rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_SETCRED (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [rf@ronnyforberger.de] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_SETCRED (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: ronnyforberger.de (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: root (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36168 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][ronnyforberger.de] (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Mon Nov 14 17:23:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34 (Mon Nov 14 17:23:07 2016) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'rf' matched without domain, user is rf (Mon Nov 14 17:23:09 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36187 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [rf@ronnyforberger.de] (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: ronnyforberger.de (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): user: rf (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: rf (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
"authtok type: 0" means that no password was sent your should see a '1' here for password authentication.
Have you been prompted for a password? Depending on where pam_sss is used in the PAM configuration you have to use different option. E.g. if there is a PAM module called before pam_sss which prompts for a password you have to use the 'use_first_pass' option to tell pam_sss to not prompt for a password. If pam_sss is the first module which prompts for a password you should add 'forward_pass' to tell pam_sss to keep the password in the PAM data so that other PAM modules can use it as well (if needed). Please see man pam_sss for details.
It was the permissions on /etc/krb5.conf and /usr/local/etc/krb5.conf.
Thanks.
Best regards, Ronny
HTH
bye, Sumit
(Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 36187 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [9][ronnyforberger.de] (Mon Nov 14 17:23:09 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [9].
authentication for "sudo" failed here. 9 is a return code from PAM_AUTH_ERR.
I could also see the same problem with authentication for "dovecot" service and the same user "rf". But I could not see any attempt for authentication with ssh or login(tty). I would recommend to start testing with something simpler rather then sudo.
BTW more details shoudl be available in domain log file https://fedorahosted.org/sssd/wiki/Troubleshooting#TroubleshootingAuthentica...
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
___________________________________ Ronny Forberger ronnyforberger at ronnyforberger.de PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
sssd-users@lists.fedorahosted.org
-
Lukas Slebodnik -
Ronny Forberger -
Sumit Bose