[389-users] id works, cannot auth though
Chandan Kumar
chandank.kumar at gmail.com
Thu Jan 10 17:41:08 UTC 2013
I think the email server stripped the attachment. Please find below the
output of system-auth file.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel umask=022
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
On Thursday, January 10, 2013, Doug Tucker wrote:
> There wasn't an attachment?
>
> Sincerely,
>
> Doug Tucker
>
> On 01/09/2013 06:03 PM, Chandan Kumar wrote:
>
> I am no expert in LDAP, I have attached my system-auth file. It may help
> you as it is working with my 389 server.
>
> For SSSD setup http://www.couyon.net/1/post/**2012/04/enabling-ldap-**
> usergroup-support-and-**authentication-in-centos-6.**html<http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html>could help you.
>
>
> Thanks
> Chandan
>
> On Wednesday, January 9, 2013, Doug Tucker wrote:
>
> I still can't seem to figure out how to import my groups to 389
> from openldap, but the users transferred fine. However moving
> forward, I created a group manually in 389 and added my username
> to the group. Now from my client, if I do: id tuckerd, i get the
> results I'm looking for:
>
> # id tuckerd
> uid=4011(tuckerd) gid=500(seasadm) groups=500(seasadm)
>
> However, attempts to log in at the console with tuckerd it fails
> authentication. On this clients in secure.log I get this:
>
>
> Jan 9 13:06:18 asteriskvm sshd[4546]: pam_sss(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=172.16.76.1 user=tuckerd
> Jan 9 13:06:18 asteriskvm sshd[4546]: pam_sss(sshd:auth):
> received for user tuckerd: 4 (System error)
> Jan 9 13:06:19 asteriskvm sshd[4546]: Failed password for tuckerd
> from 172.16.76.1 port 57093 ssh2
> Jan 9 13:06:33 asteriskvm sshd[4546]: pam_sss(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=172.16.76.1 user=tuckerd
> Jan 9 13:06:33 asteriskvm sshd[4546]: pam_sss(sshd:auth):
> received for user tuckerd: 9 (Authentication service cannot
> retrieve authentication info)
> Jan 9 13:06:35 asteriskvm sshd[4546]: Failed password for tuckerd
> from 172.16.76.1 port 57093 ssh2
> Jan 9 13:06:36 asteriskvm sshd[4547]: Connection closed by
> 172.16.76.1
> Jan 9 13:06:36 asteriskvm sshd[4546]: PAM 1 more authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.76.1
> user=tuckerd
>
> I have changed the password in 389 for tuckerd and am confident it
> is being typed correctly.
>
> [09/Jan/2013:13:10:48 -0600] conn=2458 fd=64 slot=64 connection
> from 129.119.103.59 to 129.119.113.231
> [09/Jan/2013:13:10:48 -0600] conn=2458 op=0 SRCH base="" scope=0
> filter="(objectClass=*)" attrs="* altServer namingContexts
> supportedControl supportedExtension supportedFeatures
> supportedLDAPVersion supportedSASLMechanisms defaultnamingcontext
> lastusn highestcommittedusn aci"
> [09/Jan/2013:13:10:48 -0600] conn=2458 op=0 RESULT err=0 tag=101
> nentries=1 etime=0
> [09/Jan/2013:13:10:48 -0600] conn=2458 op=1 BIND dn="" method=128
> version=3
> [09/Jan/2013:13:10:48 -0600] conn=2458 op=1 RESULT err=0 tag=97
> nentries=0 etime=0 dn=""
> [09/Jan/2013:13:10:48 -0600] conn=2458 op=2 SRCH
> base="dc=engr,dc=smu,dc=edu" scope=2
> filter="(&(uid=tuckerd)(**objectClass=posixAccount))"
> attrs="objectClass uid userPassword uidNumber gidNumber gecos
> homeDirectory loginShell krbprincipalname cn modifyTimestamp
> modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning
> shadowInactive shadowExpire shadowFlag krblastpwdchange
> krbpasswordexpiration pwdAttribute authorizedService
> accountexpires useraccountcontrol nsAccountLock host logindisabled
> loginexpirationtime loginallowedtimemap"
> [09/Jan/2013:13:10:48 -0600] conn=2458 op=2 RESULT err=0 tag=101
> nentries=1 etime=0
> [09/Jan/2013:13:10:48 -0600] conn=2458 op=3 SRCH
> base="dc=engr,dc=smu,dc=edu" scope=2
> filter="(&(memberUid=tuckerd)(**objectClass=posixGroup)(cn=*)(**
> &(gidNumber=*)(!(gidNumber=0))**))"
> attrs="objectClass cn userPassword gidNumber memberUid
> modifyTimestamp modifyTimestamp"
> [09/Jan/2013:13:10:48 -0600] conn=2458 op=3 RESULT err=0 tag=101
> nentries=1 etime=0 notes=U,P
> [09/Jan/2013:13:10:48 -0600] conn=2459 fd=65 slot=65 connection
> from 129.119.103.59 to 129.119.113.231
> [09/Jan/2013:13:10:48 -0600] conn=2459 op=0 EXT
> oid="1.3.6.1.4.1.1466.20037"
> [09/Jan/2013:13:10:48 -0600] conn=2459 op=0 RESULT err=2 tag=120
> nentries=0 etime=0
> [09/Jan/2013:13:10:48 -0600] conn=2459 op=-1 fd=65 closed error 34
> (Numerical result out of range) - B2
>
> Which has to be the most cryptic error logging I've ever seen :).
> Can anyone help me make
>
>
--
--
http://about.me/chandank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130110/d822e6e2/attachment.html>
More information about the 389-users
mailing list