[389-users] id works, cannot auth though

Doug Tucker tuckerd at lyle.smu.edu
Wed Jan 9 19:12:51 UTC 2013 

I still can't seem to figure out how to import my groups to 389 from 
openldap, but the users transferred fine.  However moving forward, I 
created a group manually in 389 and added my username to the group. Now 
from my client, if I do: id tuckerd, i get the results I'm looking for:

# id tuckerd
uid=4011(tuckerd) gid=500(seasadm) groups=500(seasadm)

However, attempts to log in at the console with tuckerd it fails 
authentication.  On this clients in secure.log I get this:


Jan  9 13:06:18 asteriskvm sshd[4546]: pam_sss(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=172.16.76.1 user=tuckerd
Jan  9 13:06:18 asteriskvm sshd[4546]: pam_sss(sshd:auth): received for 
user tuckerd: 4 (System error)
Jan  9 13:06:19 asteriskvm sshd[4546]: Failed password for tuckerd from 
172.16.76.1 port 57093 ssh2
Jan  9 13:06:33 asteriskvm sshd[4546]: pam_sss(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=172.16.76.1 user=tuckerd
Jan  9 13:06:33 asteriskvm sshd[4546]: pam_sss(sshd:auth): received for 
user tuckerd: 9 (Authentication service cannot retrieve authentication info)
Jan  9 13:06:35 asteriskvm sshd[4546]: Failed password for tuckerd from 
172.16.76.1 port 57093 ssh2
Jan  9 13:06:36 asteriskvm sshd[4547]: Connection closed by 172.16.76.1
Jan  9 13:06:36 asteriskvm sshd[4546]: PAM 1 more authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.76.1 user=tuckerd

I have changed the password in 389 for tuckerd and am confident it is 
being typed correctly.

[09/Jan/2013:13:10:48 -0600] conn=2458 fd=64 slot=64 connection from 
129.119.103.59 to 129.119.113.231
[09/Jan/2013:13:10:48 -0600] conn=2458 op=0 SRCH base="" scope=0 
filter="(objectClass=*)" attrs="* altServer namingContexts 
supportedControl supportedExtension supportedFeatures 
supportedLDAPVersion supportedSASLMechanisms defaultnamingcontext 
lastusn highestcommittedusn aci"
[09/Jan/2013:13:10:48 -0600] conn=2458 op=0 RESULT err=0 tag=101 
nentries=1 etime=0
[09/Jan/2013:13:10:48 -0600] conn=2458 op=1 BIND dn="" method=128 version=3
[09/Jan/2013:13:10:48 -0600] conn=2458 op=1 RESULT err=0 tag=97 
nentries=0 etime=0 dn=""
[09/Jan/2013:13:10:48 -0600] conn=2458 op=2 SRCH 
base="dc=engr,dc=smu,dc=edu" scope=2 
filter="(&(uid=tuckerd)(objectClass=posixAccount))" attrs="objectClass 
uid userPassword uidNumber gidNumber gecos homeDirectory loginShell 
krbprincipalname cn modifyTimestamp modifyTimestamp shadowLastChange 
shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag 
krblastpwdchange krbpasswordexpiration pwdAttribute authorizedService 
accountexpires useraccountcontrol nsAccountLock host logindisabled 
loginexpirationtime loginallowedtimemap"
[09/Jan/2013:13:10:48 -0600] conn=2458 op=2 RESULT err=0 tag=101 
nentries=1 etime=0
[09/Jan/2013:13:10:48 -0600] conn=2458 op=3 SRCH 
base="dc=engr,dc=smu,dc=edu" scope=2 
filter="(&(memberUid=tuckerd)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))" 
attrs="objectClass cn userPassword gidNumber memberUid modifyTimestamp 
modifyTimestamp"
[09/Jan/2013:13:10:48 -0600] conn=2458 op=3 RESULT err=0 tag=101 
nentries=1 etime=0 notes=U,P
[09/Jan/2013:13:10:48 -0600] conn=2459 fd=65 slot=65 connection from 
129.119.103.59 to 129.119.113.231
[09/Jan/2013:13:10:48 -0600] conn=2459 op=0 EXT oid="1.3.6.1.4.1.1466.20037"
[09/Jan/2013:13:10:48 -0600] conn=2459 op=0 RESULT err=2 tag=120 
nentries=0 etime=0
[09/Jan/2013:13:10:48 -0600] conn=2459 op=-1 fd=65 closed error 34 
(Numerical result out of range) - B2

Which has to be the most cryptic error logging I've ever seen :). Can 
anyone help me make sense of this and what it means?

-- 
Sincerely,

Doug Tucker

More information about the 389-users mailing list