[389-users] id works, cannot auth though

Chandan Kumar chandank.kumar at gmail.com
Thu Jan 10 00:03:35 UTC 2013 

I am no expert in LDAP, I have attached my system-auth file. It may help
you as it is working with my 389 server.

For SSSD setup
http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html
could
help you.


Thanks
Chandan

On Wednesday, January 9, 2013, Doug Tucker wrote:

> I still can't seem to figure out how to import my groups to 389 from
> openldap, but the users transferred fine.  However moving forward, I
> created a group manually in 389 and added my username to the group. Now
> from my client, if I do: id tuckerd, i get the results I'm looking for:
>
> # id tuckerd
> uid=4011(tuckerd) gid=500(seasadm) groups=500(seasadm)
>
> However, attempts to log in at the console with tuckerd it fails
> authentication.  On this clients in secure.log I get this:
>
>
> Jan  9 13:06:18 asteriskvm sshd[4546]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.76.1 user=tuckerd
> Jan  9 13:06:18 asteriskvm sshd[4546]: pam_sss(sshd:auth): received for
> user tuckerd: 4 (System error)
> Jan  9 13:06:19 asteriskvm sshd[4546]: Failed password for tuckerd from
> 172.16.76.1 port 57093 ssh2
> Jan  9 13:06:33 asteriskvm sshd[4546]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.76.1 user=tuckerd
> Jan  9 13:06:33 asteriskvm sshd[4546]: pam_sss(sshd:auth): received for
> user tuckerd: 9 (Authentication service cannot retrieve authentication info)
> Jan  9 13:06:35 asteriskvm sshd[4546]: Failed password for tuckerd from
> 172.16.76.1 port 57093 ssh2
> Jan  9 13:06:36 asteriskvm sshd[4547]: Connection closed by 172.16.76.1
> Jan  9 13:06:36 asteriskvm sshd[4546]: PAM 1 more authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.76.1 user=tuckerd
>
> I have changed the password in 389 for tuckerd and am confident it is
> being typed correctly.
>
> [09/Jan/2013:13:10:48 -0600] conn=2458 fd=64 slot=64 connection from
> 129.119.103.59 to 129.119.113.231
> [09/Jan/2013:13:10:48 -0600] conn=2458 op=0 SRCH base="" scope=0
> filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl
> supportedExtension supportedFeatures supportedLDAPVersion
> supportedSASLMechanisms defaultnamingcontext lastusn highestcommittedusn
> aci"
> [09/Jan/2013:13:10:48 -0600] conn=2458 op=0 RESULT err=0 tag=101
> nentries=1 etime=0
> [09/Jan/2013:13:10:48 -0600] conn=2458 op=1 BIND dn="" method=128 version=3
> [09/Jan/2013:13:10:48 -0600] conn=2458 op=1 RESULT err=0 tag=97 nentries=0
> etime=0 dn=""
> [09/Jan/2013:13:10:48 -0600] conn=2458 op=2 SRCH
> base="dc=engr,dc=smu,dc=edu" scope=2 filter="(&(uid=tuckerd)(**objectClass=posixAccount))"
> attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory
> loginShell krbprincipalname cn modifyTimestamp modifyTimestamp
> shadowLastChange shadowMin shadowMax shadowWarning shadowInactive
> shadowExpire shadowFlag krblastpwdchange krbpasswordexpiration pwdAttribute
> authorizedService accountexpires useraccountcontrol nsAccountLock host
> logindisabled loginexpirationtime loginallowedtimemap"
> [09/Jan/2013:13:10:48 -0600] conn=2458 op=2 RESULT err=0 tag=101
> nentries=1 etime=0
> [09/Jan/2013:13:10:48 -0600] conn=2458 op=3 SRCH
> base="dc=engr,dc=smu,dc=edu" scope=2 filter="(&(memberUid=tuckerd)(**
> objectClass=posixGroup)(cn=*)(**&(gidNumber=*)(!(gidNumber=0))**))"
> attrs="objectClass cn userPassword gidNumber memberUid modifyTimestamp
> modifyTimestamp"
> [09/Jan/2013:13:10:48 -0600] conn=2458 op=3 RESULT err=0 tag=101
> nentries=1 etime=0 notes=U,P
> [09/Jan/2013:13:10:48 -0600] conn=2459 fd=65 slot=65 connection from
> 129.119.103.59 to 129.119.113.231
> [09/Jan/2013:13:10:48 -0600] conn=2459 op=0 EXT
> oid="1.3.6.1.4.1.1466.20037"
> [09/Jan/2013:13:10:48 -0600] conn=2459 op=0 RESULT err=2 tag=120
> nentries=0 etime=0
> [09/Jan/2013:13:10:48 -0600] conn=2459 op=-1 fd=65 closed error 34
> (Numerical result out of range) - B2
>
> Which has to be the most cryptic error logging I've ever seen :). Can
> anyone help me make sense of this and what it means?
>
> --
> Sincerely,
>
> Doug Tucker
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.**org/mailman/listinfo/389-users<https://admin.fedoraproject.org/mailman/listinfo/389-users>



-- 

--
http://about.me/chandank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130109/eee4b80d/attachment.html>

More information about the 389-users mailing list