Hi,
I am trying to get SSSD to authenticate against an OpenLDAP directory. I have "debug_level" turned up to 10 but have not been able to figure out what the problem is based on the log.
On an Ubuntu 22.04 system I have found that something with TLS is broken when it tries to connect to OpenLDAP, which is why it has failed on that system -- I think this is related to the OS moving to OpenSSL 3 but have not been able to figure out how to fix it.
On this CentOS 7 system, you can see that it can find the user, can get properties from the user, but still fails the user login without, as far as I can tell, explaining why.
I have pasted our sssd.conf below, and here is a link to my Nextcloud instance where I am hosting the relevant portion of the log (it was too big for me to be able to paste it into Pastebin): https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD
Hoping someone can help us get to the bottom of this.
Thanks.
Here is our sssd.conf:
[sssd] services = nss, pam config_file_version = 2 domains = default certificate_verification = no_verification
[nss]
[pam] offline_credentials_expiration = 60
[domain/default] debug_level = 10 ldap_id_use_start_tls = False cache_credentials = True ldap_search_base = ou=users,dc=clab,dc=lab id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = ldap ldap_uri = ldaps://10.8.8.60:636 ldap_default_bind_dn = cn=admin,dc=clab,dc=lab ldap_default_authtok = definitelyverysecurepassword ldap_tls_reqcert = allow ldap_tls_cacert = /usr/local/share/ca-certificates/mycacert.crt ldap_tls_cacertdir = /usr/local/share/ca-certificates ldap_tls_cert = /etc/ldap/ldapserver00_slapd_cert.pem certificate_verification = no_verification ldap_search_timeout = 50 ldap_network_timeout = 60 ldap_access_order = filter ldap_access_filter = (objectClass=posixAccount) override_homedir = /home/%U override_shell = /bin/bash ldap_user_name = uid auto_private_groups = true sudo_provider = none ldap_account_expire_policy = nds ldap_passwd_policy = shadow
Am Tue, Dec 06, 2022 at 05:14:34PM -0600 schrieb Jarett DeAngelis:
Hi,
I am trying to get SSSD to authenticate against an OpenLDAP directory. I have "debug_level" turned up to 10 but have not been able to figure out what the problem is based on the log.
On an Ubuntu 22.04 system I have found that something with TLS is broken when it tries to connect to OpenLDAP, which is why it has failed on that system -- I think this is related to the OS moving to OpenSSL 3 but have not been able to figure out how to fix it.
On this CentOS 7 system, you can see that it can find the user, can get properties from the user, but still fails the user login without, as far as I can tell, explaining why.
I have pasted our sssd.conf below, and here is a link to my Nextcloud instance where I am hosting the relevant portion of the log (it was too big for me to be able to paste it into Pastebin): https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD
Hi,
there is no authentication attempt covered in the log file. Are you sure pam_sss.so is included in your PAM configuration and called for the specific user?
bye, Sumit
Hoping someone can help us get to the bottom of this.
Thanks.
Here is our sssd.conf:
[sssd] services = nss, pam config_file_version = 2 domains = default certificate_verification = no_verification
[nss]
[pam] offline_credentials_expiration = 60
[domain/default] debug_level = 10 ldap_id_use_start_tls = False cache_credentials = True ldap_search_base = ou=users,dc=clab,dc=lab id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = ldap ldap_uri = ldaps://10.8.8.60:636 ldap_default_bind_dn = cn=admin,dc=clab,dc=lab ldap_default_authtok = definitelyverysecurepassword ldap_tls_reqcert = allow ldap_tls_cacert = /usr/local/share/ca-certificates/mycacert.crt ldap_tls_cacertdir = /usr/local/share/ca-certificates ldap_tls_cert = /etc/ldap/ldapserver00_slapd_cert.pem certificate_verification = no_verification ldap_search_timeout = 50 ldap_network_timeout = 60 ldap_access_order = filter ldap_access_filter = (objectClass=posixAccount) override_homedir = /home/%U override_shell = /bin/bash ldap_user_name = uid auto_private_groups = true sudo_provider = none ldap_account_expire_policy = nds ldap_passwd_policy = shadow
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi Sumit,
Thank you! You made me realize I never updated PAM using authconfig. `sudo authconfig --enablesssdauth --enablesssd --updateall --enablemkhomedir` took care of it.
Do you have any insights as to what is going on with the newer (Ubuntu 22.04) machine's attempts to authenticate? SSSD logs are pretty clear that there is an "unknown error" with TLS communication despite the OpenLDAP server appearing to communicate normally -- OpenSSL 3.0 freezes, basically, while trying to connect, as seen here:
(2022-12-07 7:17:24): [be[default]] [check_if_online_delayed] (0x2000): [RID#1010] Trying to go back online! (2022-12-07 7:17:24): [be[default]] [fo_reset_services] (0x1000): [RID#1010] Resetting all servers in all services (2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): [RID#1010] Marking server '10.8.8.60' as 'name not resolved' (2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0100): [RID#1010] Marking port 636 of server '10.8.8.60' as 'neutral' (2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0400): [RID#1010] Marking port 636 of duplicate server '10.8.8.60' as 'neutral' (2022-12-07 7:17:24): [be[default]] [dp_attach_req] (0x0400): [RID#1011] DP Request [Online Check #1011]: REQ_TRACE: New request. Flags [0000]. (2022-12-07 7:17:24): [be[default]] [dp_attach_req] (0x0400): [RID#1011] Number of active DP request: 1 (2022-12-07 7:17:24): [be[default]] [fo_resolve_service_send] (0x0100): [RID#1011] Trying to resolve service 'LDAP' (2022-12-07 7:17:24): [be[default]] [get_server_status] (0x1000): [RID#1011] Status of server '10.8.8.60' is 'name not resolved' (2022-12-07 7:17:24): [be[default]] [get_port_status] (0x1000): [RID#1011] Port status of port 636 for server '10.8.8.60' is 'neutral' (2022-12-07 7:17:24): [be[default]] [fo_resolve_service_activate_timeout] (0x2000): [RID#1011] Resolve timeout [dns_resolver_timeout] set to 6 seconds (2022-12-07 7:17:24): [be[default]] [get_server_status] (0x1000): [RID#1011] Status of server '10.8.8.60' is 'name not resolved' (2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): [RID#1011] Marking server '10.8.8.60' as 'resolving name' (2022-12-07 7:17:24): [be[default]] [check_if_online_delayed] (0x2000): [RID#1010] Check online req created. (2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): [RID#1011] Marking server '10.8.8.60' as 'name resolved' (2022-12-07 7:17:24): [be[default]] [be_resolve_server_process] (0x1000): [RID#1011] Saving the first resolved server (2022-12-07 7:17:24): [be[default]] [be_resolve_server_process] (0x0200): [RID#1011] Found address for server 10.8.8.60: [10.8.8.60] TTL 7200 (2022-12-07 7:17:24): [be[default]] [sdap_uri_callback] (0x0400): [RID#1011] Constructed uri 'ldaps://10.8.8.60:636' (2022-12-07 7:17:24): [be[default]] [sssd_async_socket_init_send] (0x4000): [RID#1011] Using file descriptor [21] for the connection. (2022-12-07 7:17:24): [be[default]] [sssd_async_socket_init_send] (0x0400): [RID#1011] Setting 60 seconds timeout [ldap_network_timeout] for connecting (2022-12-07 7:17:24): [be[default]] [sss_ldap_init_sys_connect_done] (0x0020): [RID#1011] ldap_install_tls failed: [Connect error] [unknown error] (2022-12-07 7:17:24): [be[default]] [sss_ldap_init_state_destructor] (0x0400): [RID#1011] calling ldap_unbind_ext for ldap:[0x560819ad2470] sd:[21] (2022-12-07 7:17:24): [be[default]] [sss_ldap_init_state_destructor] (0x0400): [RID#1011] closing socket [21] (2022-12-07 7:17:24): [be[default]] [sdap_sys_connect_done] (0x0020): [RID#1011] sdap_async_connect_call request failed: [5]: Input/output error. (2022-12-07 7:17:24): [be[default]] [sdap_handle_release] (0x2000): [RID#1011] Trace: sh[0x560819af04f0], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory[0] (2022-12-07 7:17:24): [be[default]] [_be_fo_set_port_status] (0x8000): [RID#1011] Setting status: PORT_NOT_WORKING. Called from: ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_done: 1633 (2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0100): [RID#1011] Marking port 636 of server '10.8.8.60' as 'not working'
If you look at it with `openssl s_client`, it freezes right here:
root@ldapclient:/home/sysop# openssl s_client -connect 10.8.8.60:636 CONNECTED(00000003) Can't use SSL_get_servername depth=1 CN = CompanyInternal verify return:1 depth=0 O = CompanyInternal, CN = ldapserver00.clab.lab verify return:1 --- Certificate chain 0 s:O = CompanyInternal, CN = ldapserver00.clab.lab i:CN = CompanyInternal a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384 v:NotBefore: Nov 1 22:06:32 2022 GMT; NotAfter: Oct 29 22:06:32 2032 GMT 1 s:CN = CompanyInternal i:CN = CompanyInternal a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384 v:NotBefore: Nov 1 22:04:14 2022 GMT; NotAfter: Oct 29 22:04:14 2032 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIERzCCAi+gAwIBAgIUN7zSoFEoRKwSie9d3DoobHH60x4wDQYJKoZIhvcNAQEM BQAwEjEQMA4GA1UEAxMHQmlvVGVhbTAeFw0yMjExMDEyMjA2MzJaFw0zMjEwMjky MjA2MzJaMDIxEDAOBgNVBAoTB0Jpb1RlYW0xHjAcBgNVBAMTFWxkYXBzZXJ2ZXIw MC5jbGFiLmxhYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKBtDPgT e8wr/sxg+oUiMDvyuROnxEMDvF8LRwhQianBxqQuwuZulvVLXBgWyVRyNjInUDXU q1Hbf2JVXVkMufO/VjRIlF4lRPC/sgu1srxUdRvddBEO9t8inAMlJ0dvGOaZBwS7 fKK3+YeIRSleRbXS6ta2shvwxrDTWhiEPL4dgdeD+7J9ll4cbbuHW0YZJvlRJ9xD VHy70qcZn6ZyDXQt83Mbf78RLioK78S0dKW6eOACKHHSexIGcP8bZOX43XTZJHME Y7jFSBaMVF+pa0eRj6pTA6U2sFg4puWC1Xkt++1Wpnq9YdB9CqOII3UvdlPVoOHH oGQ6CmDmIR908kUCAwEAAaN1MHMwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggr BgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0OBBYEFHKk9dZu3nxATWKqJlXK 0ekuoRfkMB8GA1UdIwQYMBaAFCTD8jhauoaHVQBgCHanPoW83kRxMA0GCSqGSIb3 DQEBDAUAA4ICAQCUA72TzDR5evZpTbZAoxZ4O3Xr+gKphB7HHQ4BNZ+zW/AV/rEW DLTnm3XQ+KPp/1jb1uSsKGqLqQ462rzzYQ5SU98/GxZM8xRxWyTq+wjLFcaUZ93V HVSm38Y77aK+uhw2qpiMeiKzW/M4UwUYQM4trKMSzBiQz46UPKkzihL5JR/TCcKj LrT+OhYcbIDfdnf0+jvB75eiWiQXrsX1B0VRVnFR4FqJSH8kD71OLWno9UlTpmWB xkDrWTW5xJAb+lJT12PRRg8cMRg/GtQSIo8PAPdrm/D6aBQsRtGm8KvIleBgo5FR htlMVzNyfq35ck8WhjyMQBwegJEbMBDSpYootdNrs5sOtv+CA6qDH6CsatYKr/ke bu3s167q0x/RAAROcdA6+7eMyrrVyZjv4tqPzfYdLvOg6o7m3kBy1BL56flbd+je wX4RJvNoQKGrZxKRsfKgS7cJCo3QEoV/RbOzTof3QZ4G+lLE15lI9v9Ad6aaX+Gt oLHAqxIE1Wld/fmBTBgLL9K5NFfvfINczNLJw/+X3f6e6IjQgT743oJZ4BaNyGn6 3YT5EgDAz5hgM4BhOMovUBVgcFsUdZkH3dHrX9OrdgmP737IXlp7tuo8/J0DMPgr e2I0qGBqCu03PBYl8G4iwF/7UKFy6cyB1srefQPoVQ0//iPQIB5p6LOhUQ== -----END CERTIFICATE----- subject=O = CompanyInternal, CN = ldapserver00.clab.lab issuer=CN = CompanyInternal --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2932 bytes and written 373 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 21BBA066E20DCEE0C99DA1EF0EA17A9F474DCB10993529D776A053A32EEDB728 Session-ID-ctx: Resumption PSK: 6AC936C1645C80A5DDE93B179632FE59A4AEB15D3E3876B4385C01F769087C6D409E818BE582E550B3261CEED468423B PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 60 81 05 60 76 ea 36 36-e4 97 99 63 43 38 8a 2b `..`v.66...cC8.+ 0010 - 24 95 56 e5 af 76 a6 d2-60 82 fa d4 72 91 53 b5 $.V..v..`...r.S. 0020 - 4e fc 0d 13 b8 52 97 2a-40 13 83 7d cf 3f 51 aa N....R.*@..}.?Q. 0030 - 96 f5 76 ca 14 c1 e7 e4-1d b7 39 53 d9 ee 19 89 ..v.......9S.... 0040 - fd eb e0 d9 9f 8d 33 3b-97 cd 1d 0d 8c a4 f4 f4 ......3;........ 0050 - 6f ab c2 49 59 b4 1c 67-78 b9 4c 93 03 2d 5c ff o..IY..gx.L..-. 0060 - a9 19 c8 36 a8 23 1b 3c-45 5e 6e 69 f7 8c c4 bb ...6.#.<E^ni.... 0070 - d9 d2 a9 86 92 f0 98 94-68 aa eb f2 18 ab ef 59 ........h......Y 0080 - 55 96 43 ad 64 06 26 93-c1 41 8c 2b ce db bb fa U.C.d.&..A.+.... 0090 - 9d 9f b3 71 fe cc ec d1-f5 e0 02 a8 70 b9 10 3c ...q........p..< 00a0 - 42 32 60 d4 ac 94 ce 76-89 3a 0e 6c 95 43 22 e4 B2`....v.:.l.C". 00b0 - 89 a4 11 a9 24 a3 9a b4-3e 85 ee bb 1f 07 2f e0 ....$...>...../. 00c0 - bf 45 a2 2e 78 a4 51 9f-34 0e e4 87 a8 b4 c3 2a .E..x.Q.4......*
Start Time: 1670399902 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: BBCD67A75D02D4E8A29FC1BC72AF66A58F589AABA8DCF321B809AEDC2F1100EE Session-ID-ctx: Resumption PSK: 2B9BBE1D73BEA62DBB0CDAFE6D25B09FB69F9D53DB02645AA889674CA7D28FF66C8D025F5ECE2015EE228AB9C1A178E9 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 60 81 05 60 76 ea 36 36-e4 97 99 63 43 38 8a 2b `..`v.66...cC8.+ 0010 - 82 ee b5 24 8c 46 a1 ce-81 14 07 fa 50 57 67 78 ...$.F......PWgx 0020 - da 6a b0 d8 df 43 d8 fd-74 67 13 61 37 36 e5 ab .j...C..tg.a76.. 0030 - cd 3d 32 95 95 55 a0 47-f1 d8 4a 7c 27 aa 64 7d .=2..U.G..J|'.d} 0040 - 26 0d 60 8e 29 9c a9 40-6d 6f 59 c1 ab 6a e3 d4 &.`.)..@moY..j.. 0050 - cb cb 96 05 51 46 48 f8-6b 67 53 10 47 30 36 24 ....QFH.kgS.G06$ 0060 - f4 ea 62 f7 ac dc 64 b9-10 4e 62 17 75 3a 55 c9 ..b...d..Nb.u:U. 0070 - 73 98 41 c6 68 6e ee b9-62 e5 19 71 a1 df 05 62 s.A.hn..b..q...b 0080 - 7d 1a 30 dc 46 77 b3 c6-5b b6 fa 4f 2f 34 31 fa }.0.Fw..[..O/41. 0090 - bf 1e 9e 26 b8 ff 95 d3-69 7b de c3 91 34 06 6a ...&....i{...4.j 00a0 - 9e 2c ee 36 08 9f db 1f-28 44 ef 21 07 74 a8 9b .,.6....(D.!.t.. 00b0 - bd 55 f6 8b cb 11 bb 5f-7f 71 ba eb 15 1e 1e 70 .U....._.q.....p 00c0 - 36 3e 9d ce 42 2c 60 6d-d0 7f de 60 4a a9 80 da 6>..B,`m...`J...
Start Time: 1670399902 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK
^-- it stops there. I understand hanging and waiting for further communication is normal behavior , but I don't think this is where it's supposed to stop.
Obviously, CentOS 7 with its older version of SSL has no trouble connecting. One difference is that on CentOS 7 it says "Secure Renegotiation IS supported."
TIA for any help.
Thanks, Jarett
On Dec 7, 2022, at 12:50 AM, Sumit Bose sbose@redhat.com wrote:
Am Tue, Dec 06, 2022 at 05:14:34PM -0600 schrieb Jarett DeAngelis:
Hi,
I am trying to get SSSD to authenticate against an OpenLDAP directory. I have "debug_level" turned up to 10 but have not been able to figure out what the problem is based on the log.
On an Ubuntu 22.04 system I have found that something with TLS is broken when it tries to connect to OpenLDAP, which is why it has failed on that system -- I think this is related to the OS moving to OpenSSL 3 but have not been able to figure out how to fix it.
On this CentOS 7 system, you can see that it can find the user, can get properties from the user, but still fails the user login without, as far as I can tell, explaining why.
I have pasted our sssd.conf below, and here is a link to my Nextcloud instance where I am hosting the relevant portion of the log (it was too big for me to be able to paste it into Pastebin): https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD<https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD>
Hi,
there is no authentication attempt covered in the log file. Are you sure pam_sss.so is included in your PAM configuration and called for the specific user?
bye, Sumit
Hoping someone can help us get to the bottom of this.
Thanks.
Here is our sssd.conf:
[sssd] services = nss, pam config_file_version = 2 domains = default certificate_verification = no_verification
[nss]
[pam] offline_credentials_expiration = 60
[domain/default] debug_level = 10 ldap_id_use_start_tls = False cache_credentials = True ldap_search_base = ou=users,dc=clab,dc=lab id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = ldap ldap_uri = ldaps://10.8.8.60:636 ldap_default_bind_dn = cn=admin,dc=clab,dc=lab ldap_default_authtok = definitelyverysecurepassword ldap_tls_reqcert = allow ldap_tls_cacert = /usr/local/share/ca-certificates/mycacert.crt ldap_tls_cacertdir = /usr/local/share/ca-certificates ldap_tls_cert = /etc/ldap/ldapserver00_slapd_cert.pem certificate_verification = no_verification ldap_search_timeout = 50 ldap_network_timeout = 60 ldap_access_order = filter ldap_access_filter = (objectClass=posixAccount) override_homedir = /home/%U override_shell = /bin/bash ldap_user_name = uid auto_private_groups = true sudo_provider = none ldap_account_expire_policy = nds ldap_passwd_policy = shadow
sssd-users mailing list -- sssd-users@lists.fedorahosted.org mailto:sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org mailto:sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue https://pagure.io/fedora-infrastructure/new_issue
sssd-users mailing list -- sssd-users@lists.fedorahosted.org mailto:sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org mailto:sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue https://pagure.io/fedora-infrastructure/new_issue
Am Wed, Dec 07, 2022 at 02:10:23AM -0600 schrieb Jarett DeAngelis:
Hi Sumit,
Thank you! You made me realize I never updated PAM using authconfig. `sudo authconfig --enablesssdauth --enablesssd --updateall --enablemkhomedir` took care of it.
Do you have any insights as to what is going on with the newer (Ubuntu 22.04) machine's attempts to authenticate? SSSD logs are pretty clear that there is an "unknown error" with TLS communication despite the OpenLDAP server appearing to communicate normally -- OpenSSL 3.0 freezes, basically, while trying to connect, as seen here:
(2022-12-07 7:17:24): [be[default]] [check_if_online_delayed] (0x2000): [RID#1010] Trying to go back online! (2022-12-07 7:17:24): [be[default]] [fo_reset_services] (0x1000): [RID#1010] Resetting all servers in all services (2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): [RID#1010] Marking server '10.8.8.60' as 'name not resolved' (2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0100): [RID#1010] Marking port 636 of server '10.8.8.60' as 'neutral' (2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0400): [RID#1010] Marking port 636 of duplicate server '10.8.8.60' as 'neutral' (2022-12-07 7:17:24): [be[default]] [dp_attach_req] (0x0400): [RID#1011] DP Request [Online Check #1011]: REQ_TRACE: New request. Flags [0000]. (2022-12-07 7:17:24): [be[default]] [dp_attach_req] (0x0400): [RID#1011] Number of active DP request: 1 (2022-12-07 7:17:24): [be[default]] [fo_resolve_service_send] (0x0100): [RID#1011] Trying to resolve service 'LDAP' (2022-12-07 7:17:24): [be[default]] [get_server_status] (0x1000): [RID#1011] Status of server '10.8.8.60' is 'name not resolved' (2022-12-07 7:17:24): [be[default]] [get_port_status] (0x1000): [RID#1011] Port status of port 636 for server '10.8.8.60' is 'neutral' (2022-12-07 7:17:24): [be[default]] [fo_resolve_service_activate_timeout] (0x2000): [RID#1011] Resolve timeout [dns_resolver_timeout] set to 6 seconds (2022-12-07 7:17:24): [be[default]] [get_server_status] (0x1000): [RID#1011] Status of server '10.8.8.60' is 'name not resolved' (2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): [RID#1011] Marking server '10.8.8.60' as 'resolving name' (2022-12-07 7:17:24): [be[default]] [check_if_online_delayed] (0x2000): [RID#1010] Check online req created. (2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): [RID#1011] Marking server '10.8.8.60' as 'name resolved' (2022-12-07 7:17:24): [be[default]] [be_resolve_server_process] (0x1000): [RID#1011] Saving the first resolved server (2022-12-07 7:17:24): [be[default]] [be_resolve_server_process] (0x0200): [RID#1011] Found address for server 10.8.8.60: [10.8.8.60] TTL 7200 (2022-12-07 7:17:24): [be[default]] [sdap_uri_callback] (0x0400): [RID#1011] Constructed uri 'ldaps://10.8.8.60:636' (2022-12-07 7:17:24): [be[default]] [sssd_async_socket_init_send] (0x4000): [RID#1011] Using file descriptor [21] for the connection. (2022-12-07 7:17:24): [be[default]] [sssd_async_socket_init_send] (0x0400): [RID#1011] Setting 60 seconds timeout [ldap_network_timeout] for connecting (2022-12-07 7:17:24): [be[default]] [sss_ldap_init_sys_connect_done] (0x0020): [RID#1011] ldap_install_tls failed: [Connect error] [unknown error] (2022-12-07 7:17:24): [be[default]] [sss_ldap_init_state_destructor] (0x0400): [RID#1011] calling ldap_unbind_ext for ldap:[0x560819ad2470] sd:[21] (2022-12-07 7:17:24): [be[default]] [sss_ldap_init_state_destructor] (0x0400): [RID#1011] closing socket [21] (2022-12-07 7:17:24): [be[default]] [sdap_sys_connect_done] (0x0020): [RID#1011] sdap_async_connect_call request failed: [5]: Input/output error. (2022-12-07 7:17:24): [be[default]] [sdap_handle_release] (0x2000): [RID#1011] Trace: sh[0x560819af04f0], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory[0] (2022-12-07 7:17:24): [be[default]] [_be_fo_set_port_status] (0x8000): [RID#1011] Setting status: PORT_NOT_WORKING. Called from: ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_done: 1633 (2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0100): [RID#1011] Marking port 636 of server '10.8.8.60' as 'not working'
If you look at it with `openssl s_client`, it freezes right here:
Hi,
I think your 'openssl s_client' output looks ok.
I would assume that you are not only using a newer version of OpenSSL but a newer version of OpenLDAP as well which might be more picky when it comes to TLS and certificates.
First I would suggest to not use the IP address of the LDAP server in sssd.conf but the fully qualified name ldapserver00.clab.lab, the one from the CN of your certificate.
If this does not help, please add 'ldap_library_debug_level = -1' to the [domain/...] section of sssd.conf to get the full OpenLDAP debug output which might help to better understand what is missing.
Additionally you can check if the new option TLS_REQSAN is set in ldap.conf on the client to 'demand' or 'hard' which would make the client require a SAN (subject alternative name) in the certificate which yours does not have.
HTH
bye, Sumit
root@ldapclient:/home/sysop# openssl s_client -connect 10.8.8.60:636 CONNECTED(00000003) Can't use SSL_get_servername depth=1 CN = CompanyInternal verify return:1 depth=0 O = CompanyInternal, CN = ldapserver00.clab.lab verify return:1
Certificate chain 0 s:O = CompanyInternal, CN = ldapserver00.clab.lab i:CN = CompanyInternal a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384 v:NotBefore: Nov 1 22:06:32 2022 GMT; NotAfter: Oct 29 22:06:32 2032 GMT 1 s:CN = CompanyInternal i:CN = CompanyInternal a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384 v:NotBefore: Nov 1 22:04:14 2022 GMT; NotAfter: Oct 29 22:04:14 2032 GMT
Server certificate -----BEGIN CERTIFICATE----- MIIERzCCAi+gAwIBAgIUN7zSoFEoRKwSie9d3DoobHH60x4wDQYJKoZIhvcNAQEM BQAwEjEQMA4GA1UEAxMHQmlvVGVhbTAeFw0yMjExMDEyMjA2MzJaFw0zMjEwMjky MjA2MzJaMDIxEDAOBgNVBAoTB0Jpb1RlYW0xHjAcBgNVBAMTFWxkYXBzZXJ2ZXIw MC5jbGFiLmxhYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKBtDPgT e8wr/sxg+oUiMDvyuROnxEMDvF8LRwhQianBxqQuwuZulvVLXBgWyVRyNjInUDXU q1Hbf2JVXVkMufO/VjRIlF4lRPC/sgu1srxUdRvddBEO9t8inAMlJ0dvGOaZBwS7 fKK3+YeIRSleRbXS6ta2shvwxrDTWhiEPL4dgdeD+7J9ll4cbbuHW0YZJvlRJ9xD VHy70qcZn6ZyDXQt83Mbf78RLioK78S0dKW6eOACKHHSexIGcP8bZOX43XTZJHME Y7jFSBaMVF+pa0eRj6pTA6U2sFg4puWC1Xkt++1Wpnq9YdB9CqOII3UvdlPVoOHH oGQ6CmDmIR908kUCAwEAAaN1MHMwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggr BgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0OBBYEFHKk9dZu3nxATWKqJlXK 0ekuoRfkMB8GA1UdIwQYMBaAFCTD8jhauoaHVQBgCHanPoW83kRxMA0GCSqGSIb3 DQEBDAUAA4ICAQCUA72TzDR5evZpTbZAoxZ4O3Xr+gKphB7HHQ4BNZ+zW/AV/rEW DLTnm3XQ+KPp/1jb1uSsKGqLqQ462rzzYQ5SU98/GxZM8xRxWyTq+wjLFcaUZ93V HVSm38Y77aK+uhw2qpiMeiKzW/M4UwUYQM4trKMSzBiQz46UPKkzihL5JR/TCcKj LrT+OhYcbIDfdnf0+jvB75eiWiQXrsX1B0VRVnFR4FqJSH8kD71OLWno9UlTpmWB xkDrWTW5xJAb+lJT12PRRg8cMRg/GtQSIo8PAPdrm/D6aBQsRtGm8KvIleBgo5FR htlMVzNyfq35ck8WhjyMQBwegJEbMBDSpYootdNrs5sOtv+CA6qDH6CsatYKr/ke bu3s167q0x/RAAROcdA6+7eMyrrVyZjv4tqPzfYdLvOg6o7m3kBy1BL56flbd+je wX4RJvNoQKGrZxKRsfKgS7cJCo3QEoV/RbOzTof3QZ4G+lLE15lI9v9Ad6aaX+Gt oLHAqxIE1Wld/fmBTBgLL9K5NFfvfINczNLJw/+X3f6e6IjQgT743oJZ4BaNyGn6 3YT5EgDAz5hgM4BhOMovUBVgcFsUdZkH3dHrX9OrdgmP737IXlp7tuo8/J0DMPgr e2I0qGBqCu03PBYl8G4iwF/7UKFy6cyB1srefQPoVQ0//iPQIB5p6LOhUQ== -----END CERTIFICATE----- subject=O = CompanyInternal, CN = ldapserver00.clab.lab issuer=CN = CompanyInternal
No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits
SSL handshake has read 2932 bytes and written 373 bytes Verification: OK
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 21BBA066E20DCEE0C99DA1EF0EA17A9F474DCB10993529D776A053A32EEDB728 Session-ID-ctx: Resumption PSK: 6AC936C1645C80A5DDE93B179632FE59A4AEB15D3E3876B4385C01F769087C6D409E818BE582E550B3261CEED468423B PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 60 81 05 60 76 ea 36 36-e4 97 99 63 43 38 8a 2b `..`v.66...cC8.+ 0010 - 24 95 56 e5 af 76 a6 d2-60 82 fa d4 72 91 53 b5 $.V..v..`...r.S. 0020 - 4e fc 0d 13 b8 52 97 2a-40 13 83 7d cf 3f 51 aa N....R.*@..}.?Q. 0030 - 96 f5 76 ca 14 c1 e7 e4-1d b7 39 53 d9 ee 19 89 ..v.......9S.... 0040 - fd eb e0 d9 9f 8d 33 3b-97 cd 1d 0d 8c a4 f4 f4 ......3;........ 0050 - 6f ab c2 49 59 b4 1c 67-78 b9 4c 93 03 2d 5c ff o..IY..gx.L..-. 0060 - a9 19 c8 36 a8 23 1b 3c-45 5e 6e 69 f7 8c c4 bb ...6.#.<E^ni.... 0070 - d9 d2 a9 86 92 f0 98 94-68 aa eb f2 18 ab ef 59 ........h......Y 0080 - 55 96 43 ad 64 06 26 93-c1 41 8c 2b ce db bb fa U.C.d.&..A.+.... 0090 - 9d 9f b3 71 fe cc ec d1-f5 e0 02 a8 70 b9 10 3c ...q........p..< 00a0 - 42 32 60 d4 ac 94 ce 76-89 3a 0e 6c 95 43 22 e4 B2`....v.:.l.C". 00b0 - 89 a4 11 a9 24 a3 9a b4-3e 85 ee bb 1f 07 2f e0 ....$...>...../. 00c0 - bf 45 a2 2e 78 a4 51 9f-34 0e e4 87 a8 b4 c3 2a .E..x.Q.4......*
Start Time: 1670399902 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0
read R BLOCK
Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: BBCD67A75D02D4E8A29FC1BC72AF66A58F589AABA8DCF321B809AEDC2F1100EE Session-ID-ctx: Resumption PSK: 2B9BBE1D73BEA62DBB0CDAFE6D25B09FB69F9D53DB02645AA889674CA7D28FF66C8D025F5ECE2015EE228AB9C1A178E9 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 60 81 05 60 76 ea 36 36-e4 97 99 63 43 38 8a 2b `..`v.66...cC8.+ 0010 - 82 ee b5 24 8c 46 a1 ce-81 14 07 fa 50 57 67 78 ...$.F......PWgx 0020 - da 6a b0 d8 df 43 d8 fd-74 67 13 61 37 36 e5 ab .j...C..tg.a76.. 0030 - cd 3d 32 95 95 55 a0 47-f1 d8 4a 7c 27 aa 64 7d .=2..U.G..J|'.d} 0040 - 26 0d 60 8e 29 9c a9 40-6d 6f 59 c1 ab 6a e3 d4 &.`.)..@moY..j.. 0050 - cb cb 96 05 51 46 48 f8-6b 67 53 10 47 30 36 24 ....QFH.kgS.G06$ 0060 - f4 ea 62 f7 ac dc 64 b9-10 4e 62 17 75 3a 55 c9 ..b...d..Nb.u:U. 0070 - 73 98 41 c6 68 6e ee b9-62 e5 19 71 a1 df 05 62 s.A.hn..b..q...b 0080 - 7d 1a 30 dc 46 77 b3 c6-5b b6 fa 4f 2f 34 31 fa }.0.Fw..[..O/41. 0090 - bf 1e 9e 26 b8 ff 95 d3-69 7b de c3 91 34 06 6a ...&....i{...4.j 00a0 - 9e 2c ee 36 08 9f db 1f-28 44 ef 21 07 74 a8 9b .,.6....(D.!.t.. 00b0 - bd 55 f6 8b cb 11 bb 5f-7f 71 ba eb 15 1e 1e 70 .U....._.q.....p 00c0 - 36 3e 9d ce 42 2c 60 6d-d0 7f de 60 4a a9 80 da 6>..B,`m...`J...
Start Time: 1670399902 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0
read R BLOCK
^-- it stops there. I understand hanging and waiting for further communication is normal behavior , but I don't think this is where it's supposed to stop.
Obviously, CentOS 7 with its older version of SSL has no trouble connecting. One difference is that on CentOS 7 it says "Secure Renegotiation IS supported."
TIA for any help.
Thanks, Jarett
On Dec 7, 2022, at 12:50 AM, Sumit Bose sbose@redhat.com wrote:
Am Tue, Dec 06, 2022 at 05:14:34PM -0600 schrieb Jarett DeAngelis:
Hi,
I am trying to get SSSD to authenticate against an OpenLDAP directory. I have "debug_level" turned up to 10 but have not been able to figure out what the problem is based on the log.
On an Ubuntu 22.04 system I have found that something with TLS is broken when it tries to connect to OpenLDAP, which is why it has failed on that system -- I think this is related to the OS moving to OpenSSL 3 but have not been able to figure out how to fix it.
On this CentOS 7 system, you can see that it can find the user, can get properties from the user, but still fails the user login without, as far as I can tell, explaining why.
I have pasted our sssd.conf below, and here is a link to my Nextcloud instance where I am hosting the relevant portion of the log (it was too big for me to be able to paste it into Pastebin): https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD<https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD>
Hi,
there is no authentication attempt covered in the log file. Are you sure pam_sss.so is included in your PAM configuration and called for the specific user?
bye, Sumit
Hoping someone can help us get to the bottom of this.
Thanks.
Here is our sssd.conf:
[sssd] services = nss, pam config_file_version = 2 domains = default certificate_verification = no_verification
[nss]
[pam] offline_credentials_expiration = 60
[domain/default] debug_level = 10 ldap_id_use_start_tls = False cache_credentials = True ldap_search_base = ou=users,dc=clab,dc=lab id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = ldap ldap_uri = ldaps://10.8.8.60:636 ldap_default_bind_dn = cn=admin,dc=clab,dc=lab ldap_default_authtok = definitelyverysecurepassword ldap_tls_reqcert = allow ldap_tls_cacert = /usr/local/share/ca-certificates/mycacert.crt ldap_tls_cacertdir = /usr/local/share/ca-certificates ldap_tls_cert = /etc/ldap/ldapserver00_slapd_cert.pem certificate_verification = no_verification ldap_search_timeout = 50 ldap_network_timeout = 60 ldap_access_order = filter ldap_access_filter = (objectClass=posixAccount) override_homedir = /home/%U override_shell = /bin/bash ldap_user_name = uid auto_private_groups = true sudo_provider = none ldap_account_expire_policy = nds ldap_passwd_policy = shadow
sssd-users mailing list -- sssd-users@lists.fedorahosted.org mailto:sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org mailto:sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue https://pagure.io/fedora-infrastructure/new_issue
sssd-users mailing list -- sssd-users@lists.fedorahosted.org mailto:sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org mailto:sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue https://pagure.io/fedora-infrastructure/new_issue
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Off the top, the LDAP server can not resolve in DNS, so it's setting the LDAP server name to the IP, the IP is not in your cert as a SAN that I can see.
On 12/07/2022 12:10 AM Jarett DeAngelis <starkruzr@gmail.com> wrote: Hi Sumit, Thank you! You made me realize I never updated PAM using authconfig. `sudo authconfig --enablesssdauth --enablesssd --updateall --enablemkhomedir` took care of it. Do you have any insights as to what is going on with the newer (Ubuntu 22.04) machine's attempts to authenticate? SSSD logs are pretty clear that there is an "unknown error" with TLS communication despite the OpenLDAP server appearing to communicate normally -- OpenSSL 3.0 freezes, basically, while trying to connect, as seen here: (2022-12-07 7:17:24): [be[default]] [check_if_online_delayed] (0x2000): [RID#1010] Trying to go back online! (2022-12-07 7:17:24): [be[default]] [fo_reset_services] (0x1000): [RID#1010] Resetting all servers in all services (2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): [RID#1010] Marking server '10.8.8.60' as 'name not resolved' (2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0100): [RID#1010] Marking port 636 of server '10.8.8.60' as 'neutral' (2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0400): [RID#1010] Marking port 636 of duplicate server '10.8.8.60' as 'neutral' (2022-12-07 7:17:24): [be[default]] [dp_attach_req] (0x0400): [RID#1011] DP Request [Online Check #1011]: REQ_TRACE: New request. Flags [0000]. (2022-12-07 7:17:24): [be[default]] [dp_attach_req] (0x0400): [RID#1011] Number of active DP request: 1 (2022-12-07 7:17:24): [be[default]] [fo_resolve_service_send] (0x0100): [RID#1011] Trying to resolve service 'LDAP' (2022-12-07 7:17:24): [be[default]] [get_server_status] (0x1000): [RID#1011] Status of server '10.8.8.60' is 'name not resolved' (2022-12-07 7:17:24): [be[default]] [get_port_status] (0x1000): [RID#1011] Port status of port 636 for server '10.8.8.60' is 'neutral' (2022-12-07 7:17:24): [be[default]] [fo_resolve_service_activate_timeout] (0x2000): [RID#1011] Resolve timeout [dns_resolver_timeout] set to 6 seconds (2022-12-07 7:17:24): [be[default]] [get_server_status] (0x1000): [RID#1011] Status of server '10.8.8.60' is 'name not resolved' (2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): [RID#1011] Marking server '10.8.8.60' as 'resolving name' (2022-12-07 7:17:24): [be[default]] [check_if_online_delayed] (0x2000): [RID#1010] Check online req created. (2022-12-07 7:17:24): [be[default]] [set_server_common_status] (0x0100): [RID#1011] Marking server '10.8.8.60' as 'name resolved' (2022-12-07 7:17:24): [be[default]] [be_resolve_server_process] (0x1000): [RID#1011] Saving the first resolved server (2022-12-07 7:17:24): [be[default]] [be_resolve_server_process] (0x0200): [RID#1011] Found address for server 10.8.8.60: [10.8.8.60] TTL 7200 (2022-12-07 7:17:24): [be[default]] [sdap_uri_callback] (0x0400): [RID#1011] Constructed uri 'ldaps://10.8.8.60:636' (2022-12-07 7:17:24): [be[default]] [sssd_async_socket_init_send] (0x4000): [RID#1011] Using file descriptor [21] for the connection. (2022-12-07 7:17:24): [be[default]] [sssd_async_socket_init_send] (0x0400): [RID#1011] Setting 60 seconds timeout [ldap_network_timeout] for connecting (2022-12-07 7:17:24): [be[default]] [sss_ldap_init_sys_connect_done] (0x0020): [RID#1011] ldap_install_tls failed: [Connect error] [unknown error] (2022-12-07 7:17:24): [be[default]] [sss_ldap_init_state_destructor] (0x0400): [RID#1011] calling ldap_unbind_ext for ldap:[0x560819ad2470] sd:[21] (2022-12-07 7:17:24): [be[default]] [sss_ldap_init_state_destructor] (0x0400): [RID#1011] closing socket [21] (2022-12-07 7:17:24): [be[default]] [sdap_sys_connect_done] (0x0020): [RID#1011] sdap_async_connect_call request failed: [5]: Input/output error. (2022-12-07 7:17:24): [be[default]] [sdap_handle_release] (0x2000): [RID#1011] Trace: sh[0x560819af04f0], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory[0] (2022-12-07 7:17:24): [be[default]] [_be_fo_set_port_status] (0x8000): [RID#1011] Setting status: PORT_NOT_WORKING. Called from: ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_done: 1633 (2022-12-07 7:17:24): [be[default]] [fo_set_port_status] (0x0100): [RID#1011] Marking port 636 of server '10.8.8.60' as 'not working' If you look at it with `openssl s_client`, it freezes right here: root@ldapclient:/home/sysop# openssl s_client -connect 10.8.8.60:636 CONNECTED(00000003) Can't use SSL_get_servername depth=1 CN = CompanyInternal verify return:1 depth=0 O = CompanyInternal, CN = ldapserver00.clab.lab verify return:1 --- Certificate chain 0 s:O = CompanyInternal, CN = ldapserver00.clab.lab i:CN = CompanyInternal a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384 v:NotBefore: Nov 1 22:06:32 2022 GMT; NotAfter: Oct 29 22:06:32 2032 GMT 1 s:CN = CompanyInternal i:CN = CompanyInternal a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384 v:NotBefore: Nov 1 22:04:14 2022 GMT; NotAfter: Oct 29 22:04:14 2032 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIERzCCAi+gAwIBAgIUN7zSoFEoRKwSie9d3DoobHH60x4wDQYJKoZIhvcNAQEM BQAwEjEQMA4GA1UEAxMHQmlvVGVhbTAeFw0yMjExMDEyMjA2MzJaFw0zMjEwMjky MjA2MzJaMDIxEDAOBgNVBAoTB0Jpb1RlYW0xHjAcBgNVBAMTFWxkYXBzZXJ2ZXIw MC5jbGFiLmxhYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKBtDPgT e8wr/sxg+oUiMDvyuROnxEMDvF8LRwhQianBxqQuwuZulvVLXBgWyVRyNjInUDXU q1Hbf2JVXVkMufO/VjRIlF4lRPC/sgu1srxUdRvddBEO9t8inAMlJ0dvGOaZBwS7 fKK3+YeIRSleRbXS6ta2shvwxrDTWhiEPL4dgdeD+7J9ll4cbbuHW0YZJvlRJ9xD VHy70qcZn6ZyDXQt83Mbf78RLioK78S0dKW6eOACKHHSexIGcP8bZOX43XTZJHME Y7jFSBaMVF+pa0eRj6pTA6U2sFg4puWC1Xkt++1Wpnq9YdB9CqOII3UvdlPVoOHH oGQ6CmDmIR908kUCAwEAAaN1MHMwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggr BgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0OBBYEFHKk9dZu3nxATWKqJlXK 0ekuoRfkMB8GA1UdIwQYMBaAFCTD8jhauoaHVQBgCHanPoW83kRxMA0GCSqGSIb3 DQEBDAUAA4ICAQCUA72TzDR5evZpTbZAoxZ4O3Xr+gKphB7HHQ4BNZ+zW/AV/rEW DLTnm3XQ+KPp/1jb1uSsKGqLqQ462rzzYQ5SU98/GxZM8xRxWyTq+wjLFcaUZ93V HVSm38Y77aK+uhw2qpiMeiKzW/M4UwUYQM4trKMSzBiQz46UPKkzihL5JR/TCcKj LrT+OhYcbIDfdnf0+jvB75eiWiQXrsX1B0VRVnFR4FqJSH8kD71OLWno9UlTpmWB xkDrWTW5xJAb+lJT12PRRg8cMRg/GtQSIo8PAPdrm/D6aBQsRtGm8KvIleBgo5FR htlMVzNyfq35ck8WhjyMQBwegJEbMBDSpYootdNrs5sOtv+CA6qDH6CsatYKr/ke bu3s167q0x/RAAROcdA6+7eMyrrVyZjv4tqPzfYdLvOg6o7m3kBy1BL56flbd+je wX4RJvNoQKGrZxKRsfKgS7cJCo3QEoV/RbOzTof3QZ4G+lLE15lI9v9Ad6aaX+Gt oLHAqxIE1Wld/fmBTBgLL9K5NFfvfINczNLJw/+X3f6e6IjQgT743oJZ4BaNyGn6 3YT5EgDAz5hgM4BhOMovUBVgcFsUdZkH3dHrX9OrdgmP737IXlp7tuo8/J0DMPgr e2I0qGBqCu03PBYl8G4iwF/7UKFy6cyB1srefQPoVQ0//iPQIB5p6LOhUQ== -----END CERTIFICATE----- subject=O = CompanyInternal, CN = ldapserver00.clab.lab issuer=CN = CompanyInternal --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2932 bytes and written 373 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 21BBA066E20DCEE0C99DA1EF0EA17A9F474DCB10993529D776A053A32EEDB728 Session-ID-ctx: Resumption PSK: 6AC936C1645C80A5DDE93B179632FE59A4AEB15D3E3876B4385C01F769087C6D409E818BE582E550B3261CEED468423B PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 60 81 05 60 76 ea 36 36-e4 97 99 63 43 38 8a 2b `..`v.66...cC8.+ 0010 - 24 95 56 e5 af 76 a6 d2-60 82 fa d4 72 91 53 b5 $.V..v..`...r.S. 0020 - 4e fc 0d 13 b8 52 97 2a-40 13 83 7d cf 3f 51 aa N....R.*@..}.?Q. 0030 - 96 f5 76 ca 14 c1 e7 e4-1d b7 39 53 d9 ee 19 89 ..v.......9S.... 0040 - fd eb e0 d9 9f 8d 33 3b-97 cd 1d 0d 8c a4 f4 f4 ......3;........ 0050 - 6f ab c2 49 59 b4 1c 67-78 b9 4c 93 03 2d 5c ff o..IY..gx.L..-\. 0060 - a9 19 c8 36 a8 23 1b 3c-45 5e 6e 69 f7 8c c4 bb ...6.#.<E^ni.... 0070 - d9 d2 a9 86 92 f0 98 94-68 aa eb f2 18 ab ef 59 ........h......Y 0080 - 55 96 43 ad 64 06 26 93-c1 41 8c 2b ce db bb fa U.C.d.&..A.+.... 0090 - 9d 9f b3 71 fe cc ec d1-f5 e0 02 a8 70 b9 10 3c ...q........p..< 00a0 - 42 32 60 d4 ac 94 ce 76-89 3a 0e 6c 95 43 22 e4 B2`....v.:.l.C". 00b0 - 89 a4 11 a9 24 a3 9a b4-3e 85 ee bb 1f 07 2f e0 ....$...>...../. 00c0 - bf 45 a2 2e 78 a4 51 9f-34 0e e4 87 a8 b4 c3 2a .E..x.Q.4......* Start Time: 1670399902 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: BBCD67A75D02D4E8A29FC1BC72AF66A58F589AABA8DCF321B809AEDC2F1100EE Session-ID-ctx: Resumption PSK: 2B9BBE1D73BEA62DBB0CDAFE6D25B09FB69F9D53DB02645AA889674CA7D28FF66C8D025F5ECE2015EE228AB9C1A178E9 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 60 81 05 60 76 ea 36 36-e4 97 99 63 43 38 8a 2b `..`v.66...cC8.+ 0010 - 82 ee b5 24 8c 46 a1 ce-81 14 07 fa 50 57 67 78 ...$.F......PWgx 0020 - da 6a b0 d8 df 43 d8 fd-74 67 13 61 37 36 e5 ab .j...C..tg.a76.. 0030 - cd 3d 32 95 95 55 a0 47-f1 d8 4a 7c 27 aa 64 7d .=2..U.G..J|'.d} 0040 - 26 0d 60 8e 29 9c a9 40-6d 6f 59 c1 ab 6a e3 d4 &.`.)..@moY..j.. 0050 - cb cb 96 05 51 46 48 f8-6b 67 53 10 47 30 36 24 ....QFH.kgS.G06$ 0060 - f4 ea 62 f7 ac dc 64 b9-10 4e 62 17 75 3a 55 c9 ..b...d..Nb.u:U. 0070 - 73 98 41 c6 68 6e ee b9-62 e5 19 71 a1 df 05 62 s.A.hn..b..q...b 0080 - 7d 1a 30 dc 46 77 b3 c6-5b b6 fa 4f 2f 34 31 fa }.0.Fw..[..O/41. 0090 - bf 1e 9e 26 b8 ff 95 d3-69 7b de c3 91 34 06 6a ...&....i{...4.j 00a0 - 9e 2c ee 36 08 9f db 1f-28 44 ef 21 07 74 a8 9b .,.6....(D.!.t.. 00b0 - bd 55 f6 8b cb 11 bb 5f-7f 71 ba eb 15 1e 1e 70 .U....._.q.....p 00c0 - 36 3e 9d ce 42 2c 60 6d-d0 7f de 60 4a a9 80 da 6>..B,`m...`J... Start Time: 1670399902 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK ^-- it stops there. I understand hanging and waiting for further communication is normal behavior , but I don't think this is where it's supposed to stop. Obviously, CentOS 7 with its older version of SSL has no trouble connecting. One difference is that on CentOS 7 it says "Secure Renegotiation IS supported." TIA for any help. Thanks, Jarett > > On Dec 7, 2022, at 12:50 AM, Sumit Bose <sbose@redhat.com mailto:sbose@redhat.com > wrote:
Am Tue, Dec 06, 2022 at 05:14:34PM -0600 schrieb Jarett DeAngelis: > > > Hi,
I am trying to get SSSD to authenticate against an OpenLDAP directory. I have "debug_level" turned up to 10 but have not been able to figure out what the problem is based on the log. On an Ubuntu 22.04 system I have found that something with TLS is broken when it tries to connect to OpenLDAP, which is why it has failed on that system -- I think this is related to the OS moving to OpenSSL 3 but have not been able to figure out how to fix it. On this CentOS 7 system, you can see that it can find the user, can get properties from the user, but still fails the user login without, as far as I can tell, explaining why. I have pasted our sssd.conf below, and here is a link to my Nextcloud instance where I am hosting the relevant portion of the log (it was too big for me to be able to paste it into Pastebin): https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD<https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD> > > Hi,
there is no authentication attempt covered in the log file. Are you sure pam_sss.so is included in your PAM configuration and called for the specific user? bye, Sumit > > > Hoping someone can help us get to the bottom of this.
Thanks. Here is our sssd.conf: [sssd] services = nss, pam config_file_version = 2 domains = default certificate_verification = no_verification [nss] [pam] offline_credentials_expiration = 60 [domain/default] debug_level = 10 ldap_id_use_start_tls = False cache_credentials = True ldap_search_base = ou=users,dc=clab,dc=lab id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = ldap ldap_uri = ldaps://10.8.8.60:636 ldap_default_bind_dn = cn=admin,dc=clab,dc=lab ldap_default_authtok = definitelyverysecurepassword ldap_tls_reqcert = allow ldap_tls_cacert = /usr/local/share/ca-certificates/mycacert.crt ldap_tls_cacertdir = /usr/local/share/ca-certificates ldap_tls_cert = /etc/ldap/ldapserver00_slapd_cert.pem certificate_verification = no_verification ldap_search_timeout = 50 ldap_network_timeout = 60 ldap_access_order = filter ldap_access_filter = (objectClass=posixAccount) override_homedir = /home/%U override_shell = /bin/bash ldap_user_name = uid auto_private_groups = true sudo_provider = none ldap_account_expire_policy = nds ldap_passwd_policy = shadow > >
> > > _______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org mailto:sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org mailto:sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue > > _______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org mailto:sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org mailto:sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
sssd-users@lists.fedorahosted.org