Off the top, the LDAP server can not resolve in DNS, so it's setting the LDAP server
name to the IP, the IP is not in your cert as a SAN that I can see.
On 12/07/2022 12:10 AM Jarett DeAngelis
<starkruzr(a)gmail.com> wrote:
Hi Sumit,
Thank you! You made me realize I never updated PAM using authconfig. `sudo authconfig
--enablesssdauth --enablesssd --updateall --enablemkhomedir` took care of it.
Do you have any insights as to what is going on with the newer (Ubuntu 22.04)
machine's attempts to authenticate? SSSD logs are pretty clear that there is an
"unknown error" with TLS communication despite the OpenLDAP server appearing to
communicate normally -- OpenSSL 3.0 freezes, basically, while trying to connect, as seen
here:
(2022-12-07 7:17:24): [be[default]] [check_if_online_delayed] (0x2000): [RID#1010]
Trying to go back online!
(2022-12-07 7:17:24): [be[default]] [fo_reset_services] (0x1000): [RID#1010]
Resetting all servers in all services
(2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): [RID#1010]
Marking server '10.8.8.60' as 'name not resolved'
(2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0100): [RID#1010]
Marking port 636 of server '10.8.8.60' as 'neutral'
(2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0400): [RID#1010]
Marking port 636 of duplicate server '10.8.8.60' as 'neutral'
(2022-12-07 7:17:24): [be[default]] [dp_attach_req] (0x0400): [RID#1011] DP Request
[Online Check #1011]: REQ_TRACE: New request. Flags [0000].
(2022-12-07 7:17:24): [be[default]] [dp_attach_req] (0x0400): [RID#1011] Number of
active DP request: 1
(2022-12-07 7:17:24): [be[default]] [fo_resolve_service_send] (0x0100): [RID#1011]
Trying to resolve service 'LDAP'
(2022-12-07 7:17:24): [be[default]] [get_server_status] (0x1000): [RID#1011] Status
of server '10.8.8.60' is 'name not resolved'
(2022-12-07 7:17:24): [be[default]] [get_port_status] (0x1000): [RID#1011] Port
status of port 636 for server '10.8.8.60' is 'neutral'
(2022-12-07 7:17:24): [be[default]] [fo_resolve_service_activate_timeout] (0x2000):
[RID#1011] Resolve timeout [dns_resolver_timeout] set to 6 seconds
(2022-12-07 7:17:24): [be[default]] [get_server_status] (0x1000): [RID#1011] Status
of server '10.8.8.60' is 'name not resolved'
(2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): [RID#1011]
Marking server '10.8.8.60' as 'resolving name'
(2022-12-07 7:17:24): [be[default]] [check_if_online_delayed] (0x2000): [RID#1010]
Check online req created.
(2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): [RID#1011]
Marking server '10.8.8.60' as 'name resolved'
(2022-12-07 7:17:24): [be[default]] [be_resolve_server_process] (0x1000): [RID#1011]
Saving the first resolved server
(2022-12-07 7:17:24): [be[default]] [be_resolve_server_process] (0x0200): [RID#1011]
Found address for server 10.8.8.60: [10.8.8.60] TTL 7200
(2022-12-07 7:17:24): [be[default]] [sdap_uri_callback] (0x0400): [RID#1011]
Constructed uri 'ldaps://10.8.8.60:636'
(2022-12-07 7:17:24): [be[default]] [sssd_async_socket_init_send] (0x4000):
[RID#1011] Using file descriptor [21] for the connection.
(2022-12-07 7:17:24): [be[default]] [sssd_async_socket_init_send] (0x0400):
[RID#1011] Setting 60 seconds timeout [ldap_network_timeout] for connecting
(2022-12-07 7:17:24): [be[default]] [sss_ldap_init_sys_connect_done] (0x0020):
[RID#1011] ldap_install_tls failed: [Connect error] [unknown error]
(2022-12-07 7:17:24): [be[default]] [sss_ldap_init_state_destructor] (0x0400):
[RID#1011] calling ldap_unbind_ext for ldap:[0x560819ad2470] sd:[21]
(2022-12-07 7:17:24): [be[default]] [sss_ldap_init_state_destructor] (0x0400):
[RID#1011] closing socket [21]
(2022-12-07 7:17:24): [be[default]] [sdap_sys_connect_done] (0x0020): [RID#1011]
sdap_async_connect_call request failed: [5]: Input/output error.
(2022-12-07 7:17:24): [be[default]] [sdap_handle_release] (0x2000): [RID#1011]
Trace: sh[0x560819af04f0], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0],
release_memory[0]
(2022-12-07 7:17:24): [be[default]] [_be_fo_set_port_status] (0x8000): [RID#1011]
Setting status: PORT_NOT_WORKING. Called from:
../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_done: 1633
(2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0100): [RID#1011]
Marking port 636 of server '10.8.8.60' as 'not working'
If you look at it with `openssl s_client`, it freezes right here:
root@ldapclient:/home/sysop# openssl s_client -connect 10.8.8.60:636
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 CN = CompanyInternal
verify return:1
depth=0 O = CompanyInternal, CN = ldapserver00.clab.lab
verify return:1
---
Certificate chain
0 s:O = CompanyInternal, CN = ldapserver00.clab.lab
i:CN = CompanyInternal
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
v:NotBefore: Nov 1 22:06:32 2022 GMT; NotAfter: Oct 29 22:06:32 2032 GMT
1 s:CN = CompanyInternal
i:CN = CompanyInternal
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
v:NotBefore: Nov 1 22:04:14 2022 GMT; NotAfter: Oct 29 22:04:14 2032 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIERzCCAi+gAwIBAgIUN7zSoFEoRKwSie9d3DoobHH60x4wDQYJKoZIhvcNAQEM
BQAwEjEQMA4GA1UEAxMHQmlvVGVhbTAeFw0yMjExMDEyMjA2MzJaFw0zMjEwMjky
MjA2MzJaMDIxEDAOBgNVBAoTB0Jpb1RlYW0xHjAcBgNVBAMTFWxkYXBzZXJ2ZXIw
MC5jbGFiLmxhYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKBtDPgT
e8wr/sxg+oUiMDvyuROnxEMDvF8LRwhQianBxqQuwuZulvVLXBgWyVRyNjInUDXU
q1Hbf2JVXVkMufO/VjRIlF4lRPC/sgu1srxUdRvddBEO9t8inAMlJ0dvGOaZBwS7
fKK3+YeIRSleRbXS6ta2shvwxrDTWhiEPL4dgdeD+7J9ll4cbbuHW0YZJvlRJ9xD
VHy70qcZn6ZyDXQt83Mbf78RLioK78S0dKW6eOACKHHSexIGcP8bZOX43XTZJHME
Y7jFSBaMVF+pa0eRj6pTA6U2sFg4puWC1Xkt++1Wpnq9YdB9CqOII3UvdlPVoOHH
oGQ6CmDmIR908kUCAwEAAaN1MHMwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggr
BgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0OBBYEFHKk9dZu3nxATWKqJlXK
0ekuoRfkMB8GA1UdIwQYMBaAFCTD8jhauoaHVQBgCHanPoW83kRxMA0GCSqGSIb3
DQEBDAUAA4ICAQCUA72TzDR5evZpTbZAoxZ4O3Xr+gKphB7HHQ4BNZ+zW/AV/rEW
DLTnm3XQ+KPp/1jb1uSsKGqLqQ462rzzYQ5SU98/GxZM8xRxWyTq+wjLFcaUZ93V
HVSm38Y77aK+uhw2qpiMeiKzW/M4UwUYQM4trKMSzBiQz46UPKkzihL5JR/TCcKj
LrT+OhYcbIDfdnf0+jvB75eiWiQXrsX1B0VRVnFR4FqJSH8kD71OLWno9UlTpmWB
xkDrWTW5xJAb+lJT12PRRg8cMRg/GtQSIo8PAPdrm/D6aBQsRtGm8KvIleBgo5FR
htlMVzNyfq35ck8WhjyMQBwegJEbMBDSpYootdNrs5sOtv+CA6qDH6CsatYKr/ke
bu3s167q0x/RAAROcdA6+7eMyrrVyZjv4tqPzfYdLvOg6o7m3kBy1BL56flbd+je
wX4RJvNoQKGrZxKRsfKgS7cJCo3QEoV/RbOzTof3QZ4G+lLE15lI9v9Ad6aaX+Gt
oLHAqxIE1Wld/fmBTBgLL9K5NFfvfINczNLJw/+X3f6e6IjQgT743oJZ4BaNyGn6
3YT5EgDAz5hgM4BhOMovUBVgcFsUdZkH3dHrX9OrdgmP737IXlp7tuo8/J0DMPgr
e2I0qGBqCu03PBYl8G4iwF/7UKFy6cyB1srefQPoVQ0//iPQIB5p6LOhUQ==
-----END CERTIFICATE-----
subject=O = CompanyInternal, CN = ldapserver00.clab.lab
issuer=CN = CompanyInternal
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2932 bytes and written 373 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 21BBA066E20DCEE0C99DA1EF0EA17A9F474DCB10993529D776A053A32EEDB728
Session-ID-ctx:
Resumption PSK:
6AC936C1645C80A5DDE93B179632FE59A4AEB15D3E3876B4385C01F769087C6D409E818BE582E550B3261CEED468423B
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 60 81 05 60 76 ea 36 36-e4 97 99 63 43 38 8a 2b `..`v.66...cC8.+
0010 - 24 95 56 e5 af 76 a6 d2-60 82 fa d4 72 91 53 b5 $.V..v..`...r.S.
0020 - 4e fc 0d 13 b8 52 97 2a-40 13 83 7d cf 3f 51 aa N....R.*@..}.?Q.
0030 - 96 f5 76 ca 14 c1 e7 e4-1d b7 39 53 d9 ee 19 89 ..v.......9S....
0040 - fd eb e0 d9 9f 8d 33 3b-97 cd 1d 0d 8c a4 f4 f4 ......3;........
0050 - 6f ab c2 49 59 b4 1c 67-78 b9 4c 93 03 2d 5c ff o..IY..gx.L..-\.
0060 - a9 19 c8 36 a8 23 1b 3c-45 5e 6e 69 f7 8c c4 bb ...6.#.<E^ni....
0070 - d9 d2 a9 86 92 f0 98 94-68 aa eb f2 18 ab ef 59 ........h......Y
0080 - 55 96 43 ad 64 06 26 93-c1 41 8c 2b ce db bb fa U.C.d.&..A.+....
0090 - 9d 9f b3 71 fe cc ec d1-f5 e0 02 a8 70 b9 10 3c ...q........p..<
00a0 - 42 32 60 d4 ac 94 ce 76-89 3a 0e 6c 95 43 22 e4 B2`....v.:.l.C".
00b0 - 89 a4 11 a9 24 a3 9a b4-3e 85 ee bb 1f 07 2f e0 ....$...>...../.
00c0 - bf 45 a2 2e 78 a4 51 9f-34 0e e4 87 a8 b4 c3 2a .E..x.Q.4......*
Start Time: 1670399902
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: BBCD67A75D02D4E8A29FC1BC72AF66A58F589AABA8DCF321B809AEDC2F1100EE
Session-ID-ctx:
Resumption PSK:
2B9BBE1D73BEA62DBB0CDAFE6D25B09FB69F9D53DB02645AA889674CA7D28FF66C8D025F5ECE2015EE228AB9C1A178E9
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 60 81 05 60 76 ea 36 36-e4 97 99 63 43 38 8a 2b `..`v.66...cC8.+
0010 - 82 ee b5 24 8c 46 a1 ce-81 14 07 fa 50 57 67 78 ...$.F......PWgx
0020 - da 6a b0 d8 df 43 d8 fd-74 67 13 61 37 36 e5 ab .j...C..tg.a76..
0030 - cd 3d 32 95 95 55 a0 47-f1 d8 4a 7c 27 aa 64 7d .=2..U.G..J|'.d}
0040 - 26 0d 60 8e 29 9c a9 40-6d 6f 59 c1 ab 6a e3 d4 &.`.)..@moY..j..
0050 - cb cb 96 05 51 46 48 f8-6b 67 53 10 47 30 36 24 ....QFH.kgS.G06$
0060 - f4 ea 62 f7 ac dc 64 b9-10 4e 62 17 75 3a 55 c9 ..b...d..Nb.u:U.
0070 - 73 98 41 c6 68 6e ee b9-62 e5 19 71 a1 df 05 62 s.A.hn..b..q...b
0080 - 7d 1a 30 dc 46 77 b3 c6-5b b6 fa 4f 2f 34 31 fa }.0.Fw..[..O/41.
0090 - bf 1e 9e 26 b8 ff 95 d3-69 7b de c3 91 34 06 6a ...&....i{...4.j
00a0 - 9e 2c ee 36 08 9f db 1f-28 44 ef 21 07 74 a8 9b .,.6....(D.!.t..
00b0 - bd 55 f6 8b cb 11 bb 5f-7f 71 ba eb 15 1e 1e 70 .U....._.q.....p
00c0 - 36 3e 9d ce 42 2c 60 6d-d0 7f de 60 4a a9 80 da 6>..B,`m...`J...
Start Time: 1670399902
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
^-- it stops there. I understand hanging and waiting for further communication is
normal behavior , but I don't think this is where it's supposed to stop.
Obviously, CentOS 7 with its older version of SSL has no trouble connecting. One
difference is that on CentOS 7 it says "Secure Renegotiation IS supported."
TIA for any help.
Thanks,
Jarett
> > On Dec 7, 2022, at 12:50 AM, Sumit Bose <sbose(a)redhat.com
mailto:sbose@redhat.com > wrote:
>
> Am Tue, Dec 06, 2022 at 05:14:34PM -0600 schrieb Jarett DeAngelis:
>
> > > > Hi,
> >
> > I am trying to get SSSD to authenticate against an OpenLDAP
directory. I have "debug_level" turned up to 10 but have not been able to figure
out what the problem is based on the log.
> >
> > On an Ubuntu 22.04 system I have found that something with TLS is
broken when it tries to connect to OpenLDAP, which is why it has failed on that system --
I think this is related to the OS moving to OpenSSL 3 but have not been able to figure out
how to fix it.
> >
> > On this CentOS 7 system, you can see that it can find the user, can
get properties from the user, but still fails the user login without, as far as I can
tell, explaining why.
> >
> > I have pasted our sssd.conf below, and here is a link to my
Nextcloud instance where I am hosting the relevant portion of the log (it was too big for
me to be able to paste it into Pastebin):
https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD<https://check...
> >
> > > > Hi,
>
> there is no authentication attempt covered in the log file. Are you sure
> pam_sss.so is included in your PAM configuration and called for the
> specific user?
>
> bye,
> Sumit
>
>
> > > > Hoping someone can help us get to the bottom
of this.
> >
> > Thanks.
> >
> > Here is our sssd.conf:
> >
> > [sssd]
> > services = nss, pam
> > config_file_version = 2
> > domains = default
> > certificate_verification = no_verification
> >
> > [nss]
> >
> > [pam]
> > offline_credentials_expiration = 60
> >
> > [domain/default]
> > debug_level = 10
> > ldap_id_use_start_tls = False
> > cache_credentials = True
> > ldap_search_base = ou=users,dc=clab,dc=lab
> > id_provider = ldap
> > auth_provider = ldap
> > chpass_provider = ldap
> > access_provider = ldap
> > ldap_uri = ldaps://10.8.8.60:636
> > ldap_default_bind_dn = cn=admin,dc=clab,dc=lab
> > ldap_default_authtok = definitelyverysecurepassword
> > ldap_tls_reqcert = allow
> > ldap_tls_cacert = /usr/local/share/ca-certificates/mycacert.crt
> > ldap_tls_cacertdir = /usr/local/share/ca-certificates
> > ldap_tls_cert = /etc/ldap/ldapserver00_slapd_cert.pem
> > certificate_verification = no_verification
> > ldap_search_timeout = 50
> > ldap_network_timeout = 60
> > ldap_access_order = filter
> > ldap_access_filter = (objectClass=posixAccount)
> > override_homedir = /home/%U
> > override_shell = /bin/bash
> > ldap_user_name = uid
> > auto_private_groups = true
> > sudo_provider = none
> > ldap_account_expire_policy = nds
> > ldap_passwd_policy = shadow
> >
> > > >
> > > > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
mailto:sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to
sssd-users-leave(a)lists.fedorahosted.org mailto:sssd-users-leave@lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
> >
> > > > _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
mailto:sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
mailto:sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
>
> >
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue