I have been trying to resolve this problem for a couple weeks and tried hundreds of iterations without success. I will try to be brief and concise.
(1) I have a centos 6.4 openldap-2.4.35 server configured for ssh authentication with a test account "localjoe".
dn:uid=localjoe,ou=internal,dc=example,dc=com objectClass:top objectClass:person objectClass:organizationalPerson objectClass:inetOrgPerson objectClass:posixAccount cn:CN=localjoe,ou=internal,dc=example,dc=com sn:localjoe userPassword:{MD5}KRVE5i0tSdtSdBLzZ6h3VnR4dk4 description:posix acct ou:internal uid:localjoe uidNumber:103418 gidNumber:100 loginShell:/bin/bash homeDirectory:/tmp
(2) I have an ubuntu ldap client system (zander) and can ssh localjoe@zander successfully.
(3) I have a centos 6.4 sssd ldap client system (argot) and cannot ssh localjoe@argot.
(4) The client (argos) /var/log/secure reports: ------------------------------------------------------------ Aug 21 07:56:39 argot sshd[9640]: pam_succeed_if(sshd:auth): error retrieving information about user localjoe Aug 21 07:56:41 argot sshd[9640]: Failed password for invalid user localjoe from XX.XX.XX.XX port 50380 ssh2 Aug 21 07:56:44 argot sshd[9641]: Connection closed by XX.XX.XX.XX Aug 21 07:59:47 argot sshd[9688]: Invalid user localjoe from XX.XX.XX.XX Aug 21 07:59:47 argot sshd[9689]: input_userauth_request: invalid user localjoe Aug 21 07:59:51 argot sshd[9688]: pam_unix(sshd:auth): check pass; user unknown Aug 21 07:59:51 argot sshd[9688]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=argot
(5)The client (argos) sssd log file reports: ------------------------------------------------------- (Wed Aug 21 08:27:45 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(6) "getent passwd" works with nslcd daemon running but "getent --s sss passwd" does not work.
(7) ldapsearch (as per example from this mail list works ok: -------------------------------------------------------------------------------- [root@argot security]# ldapsearch -x -LLL '(&(uid=localjoe)(objectClass=posixAccount))' uidnumber homedirectory gidnumber loginshell dn: uid=localjoe,ou=internal,dc=example,dc=com uidNumber: 103418 gidNumber: 100 loginShell: /bin/bash homeDirectory: /tmp
I wonder if anyone has heard of similar problems with centos 6.4 sssd ldap client and might have a suggestion.
thanks, John.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/21/2013 12:24 PM, John Uhlig wrote:
I have been trying to resolve this problem for a couple weeks and tried hundreds of iterations without success. I will try to be brief and concise.
(1) I have a centos 6.4 openldap-2.4.35 server configured for ssh authentication with a test account "localjoe".
dn:uid=localjoe,ou=internal,dc=example,dc=com objectClass:top objectClass:person objectClass:organizationalPerson objectClass:inetOrgPerson objectClass:posixAccount cn:CN=localjoe,ou=internal,dc=example,dc=com sn:localjoe userPassword:{MD5}KRVE5i0tSdtSdBLzZ6h3VnR4dk4 description:posix acct ou:internal uid:localjoe uidNumber:103418 gidNumber:100 loginShell:/bin/bash homeDirectory:/tmp
(2) I have an ubuntu ldap client system (zander) and can ssh localjoe@zander successfully.
(3) I have a centos 6.4 sssd ldap client system (argot) and cannot ssh localjoe@argot.
(4) The client (argos) /var/log/secure reports: ------------------------------------------------------------ Aug 21 07:56:39 argot sshd[9640]: pam_succeed_if(sshd:auth): error retrieving information about user localjoe Aug 21 07:56:41 argot sshd[9640]: Failed password for invalid user localjoe from XX.XX.XX.XX port 50380 ssh2 Aug 21 07:56:44 argot sshd[9641]: Connection closed by XX.XX.XX.XX Aug 21 07:59:47 argot sshd[9688]: Invalid user localjoe from XX.XX.XX.XX Aug 21 07:59:47 argot sshd[9689]: input_userauth_request: invalid user localjoe Aug 21 07:59:51 argot sshd[9688]: pam_unix(sshd:auth): check pass; user unknown Aug 21 07:59:51 argot sshd[9688]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=argot
(5)The client (argos) sssd log file reports: ------------------------------------------------------- (Wed Aug 21 08:27:45 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(6) "getent passwd" works with nslcd daemon running but "getent --s sss passwd" does not work.
(7) ldapsearch (as per example from this mail list works ok:
[root@argot security]# ldapsearch -x -LLL '(&(uid=localjoe)(objectClass=posixAccount))' uidnumber homedirectory gidnumber loginshell dn: uid=localjoe,ou=internal,dc=example,dc=com uidNumber: 103418 gidNumber: 100 loginShell: /bin/bash homeDirectory: /tmp
I wonder if anyone has heard of similar problems with centos 6.4 sssd ldap client and might have a suggestion.
It would be very helpful if you could include your sssd.conf. I strongly suspect that you have a typo in your configuration somewhere.
thanks. I have tried SHA1 before - no difference.
On 08/21/2013 10:02 AM, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/21/2013 12:24 PM, John Uhlig wrote:
I have been trying to resolve this problem for a couple weeks and tried hundreds of iterations without success. I will try to be brief and concise.
(1) I have a centos 6.4 openldap-2.4.35 server configured for ssh authentication with a test account "localjoe".
dn:uid=localjoe,ou=internal,dc=example,dc=com objectClass:top objectClass:person objectClass:organizationalPerson objectClass:inetOrgPerson objectClass:posixAccount cn:CN=localjoe,ou=internal,dc=example,dc=com sn:localjoe userPassword:{MD5}KRVE5i0tSdtSdBLzZ6h3VnR4dk4 description:posix acct ou:internal uid:localjoe uidNumber:103418 gidNumber:100 loginShell:/bin/bash homeDirectory:/tmp
(2) I have an ubuntu ldap client system (zander) and can ssh localjoe@zander successfully.
(3) I have a centos 6.4 sssd ldap client system (argot) and cannot ssh localjoe@argot.
(4) The client (argos) /var/log/secure reports: ------------------------------------------------------------ Aug 21 07:56:39 argot sshd[9640]: pam_succeed_if(sshd:auth): error retrieving information about user localjoe Aug 21 07:56:41 argot sshd[9640]: Failed password for invalid user localjoe from XX.XX.XX.XX port 50380 ssh2 Aug 21 07:56:44 argot sshd[9641]: Connection closed by XX.XX.XX.XX Aug 21 07:59:47 argot sshd[9688]: Invalid user localjoe from XX.XX.XX.XX Aug 21 07:59:47 argot sshd[9689]: input_userauth_request: invalid user localjoe Aug 21 07:59:51 argot sshd[9688]: pam_unix(sshd:auth): check pass; user unknown Aug 21 07:59:51 argot sshd[9688]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=argot
(5)The client (argos) sssd log file reports: ------------------------------------------------------- (Wed Aug 21 08:27:45 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(6) "getent passwd" works with nslcd daemon running but "getent --s sss passwd" does not work.
(7) ldapsearch (as per example from this mail list works ok:
[root@argot security]# ldapsearch -x -LLL '(&(uid=localjoe)(objectClass=posixAccount))' uidnumber homedirectory gidnumber loginshell dn: uid=localjoe,ou=internal,dc=example,dc=com uidNumber: 103418 gidNumber: 100 loginShell: /bin/bash homeDirectory: /tmp
I wonder if anyone has heard of similar problems with centos 6.4 sssd ldap client and might have a suggestion.
It would be very helpful if you could include your sssd.conf. I strongly suspect that you have a typo in your configuration somewhere.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIU8rsACgkQeiVVYja6o6PgKwCeO3ZQqwMDywvQpFNXQD5oIy9X YGUAn3/J9GU+BS+/ySARR+qGXplzlVE5 =7Jls -----END PGP SIGNATURE-----
oops! please excuse previous reply re: SHA1. John.
It would be very helpful if you could include your sssd.conf. I strongly suspect
that you have a typo in your configuration somewhere.
I have included sssd.conf file. I have tried to keep it as simple as possible but have tried several iterations on it as well. -------------------------
[domain/default]
debug_level = 9 ldap_id_use_start_tls = True ldap_search_base = ou=internal,dc=parc,dc=com krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://pldap.parc.com/ cache_credentials = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = demand [sssd] services = nss, pam config_file_version = 2 enumerate = True domains = default
[nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/21/2013 01:58 PM, John Uhlig wrote:
oops! please excuse previous reply re: SHA1. John.
It would be very helpful if you could include your sssd.conf. I
strongly suspect that you have a typo in your configuration somewhere.
I have included sssd.conf file. I have tried to keep it as simple as possible but have tried several iterations on it as well.
[domain/default]
debug_level = 9 ldap_id_use_start_tls = True ldap_search_base = ou=internal,dc=parc,dc=com krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://pldap.parc.com/ cache_credentials = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = demand [sssd] services = nss, pam config_file_version = 2 enumerate = True domains = default
[nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
I have to ask the obvious question: does it work if you set 'ldap_tls_reqcert = allow'? This could suggest that your /etc/openldap/cacerts directory isn't properly set up. You may have forgotten to run 'cacertdir_rehash /etc/openldap/cacerts' or to put the CA cert in that directory at all.
I'd like to see more of the SSSD logs than just (Wed Aug 21 08:27:45 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
because that's not a useful piece of the log (it doesn't tell me what it tried to do before it failed). Including the preceding 50-100 lines would be better.
thanks for your prompt reply. I have attached the sssd-default logfile.
The cacert dir has been rehashed using cacertdir_rehash command.
I have tried the "ldap_tls_cacert" parameter as well - no luck.
I have also tried TLS and SSL ldap client configs - again - no luck.
I believe I have done the openssl and ldapsearch tests as per ssd and ldap web docs to confirm that the certificates and TLS are working correctly.
John.
On 08/21/2013 11:01 AM, Stephen Gallagher wrote:
I have to ask the obvious question: does it work if you set 'ldap_tls_reqcert = allow'? This could suggest that your /etc/openldap/cacerts directory isn't properly set up. You may have forgotten to run 'cacertdir_rehash /etc/openldap/cacerts' or to put the CA cert in that directory at all.
I'd like to see more of the SSSD logs than just (Wed Aug 21 08:27:45 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
because that's not a useful piece of the log (it doesn't tell me what it tried to do before it failed). Including the preceding 50-100 lines would be better. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIVAGEACgkQeiVVYja6o6PTFwCgnDMBDlnP/1ZrJ1C8+of1uJVV r7sAn3l0zVm6Qd5E1+PgmZy9A3WyERE5 =44TE -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/21/2013 02:25 PM, John Uhlig wrote:
thanks for your prompt reply. I have attached the sssd-default logfile.
The cacert dir has been rehashed using cacertdir_rehash command.
I have tried the "ldap_tls_cacert" parameter as well - no luck.
I have also tried TLS and SSL ldap client configs - again - no luck.
I believe I have done the openssl and ldapsearch tests as per ssd and ldap web docs to confirm that the certificates and TLS are working correctly.
According to that log, the user was retrieved successfully and added to the cache:
(Wed Aug 21 11:04:00 2013) [sssd[be[default]]] [sdap_get_users_process] (0x4000): Saving 1 Users - Done
The line: (Wed Aug 21 11:04:00 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
is actually just informational (it means that we've hit the end of the loop through lookups we're performing).
So what exactly do you see when you run 'getent passwd localjoe'?
On Wed, Aug 21, 2013 at 02:25:20PM -0400, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/21/2013 02:25 PM, John Uhlig wrote:
thanks for your prompt reply. I have attached the sssd-default logfile.
The cacert dir has been rehashed using cacertdir_rehash command.
I have tried the "ldap_tls_cacert" parameter as well - no luck.
I have also tried TLS and SSL ldap client configs - again - no luck.
I believe I have done the openssl and ldapsearch tests as per ssd and ldap web docs to confirm that the certificates and TLS are working correctly.
According to that log, the user was retrieved successfully and added to the cache:
(Wed Aug 21 11:04:00 2013) [sssd[be[default]]] [sdap_get_users_process] (0x4000): Saving 1 Users - Done
The line: (Wed Aug 21 11:04:00 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
is actually just informational (it means that we've hit the end of the loop through lookups we're performing).
So what exactly do you see when you run 'getent passwd localjoe'?
Also, what log message (if any) do you see in /var/log/secure coming from the pam_sss module?
Thanks Jakub.
I have received some follow up help from another person on this list who pointed that out to me as well. The problem seems to go deeper or possibly leads back to the openldap server. If I find any notable evidence or a solution I will post further.
John.
On 08/22/2013 01:25 AM, Jakub Hrozek wrote:
On Wed, Aug 21, 2013 at 02:25:20PM -0400, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/21/2013 02:25 PM, John Uhlig wrote:
thanks for your prompt reply. I have attached the sssd-default logfile.
The cacert dir has been rehashed using cacertdir_rehash command.
I have tried the "ldap_tls_cacert" parameter as well - no luck.
I have also tried TLS and SSL ldap client configs - again - no luck.
I believe I have done the openssl and ldapsearch tests as per ssd and ldap web docs to confirm that the certificates and TLS are working correctly.
According to that log, the user was retrieved successfully and added to the cache:
(Wed Aug 21 11:04:00 2013) [sssd[be[default]]] [sdap_get_users_process] (0x4000): Saving 1 Users - Done
The line: (Wed Aug 21 11:04:00 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
is actually just informational (it means that we've hit the end of the loop through lookups we're performing).
So what exactly do you see when you run 'getent passwd localjoe'?
Also, what log message (if any) do you see in /var/log/secure coming from the pam_sss module? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org