<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000'><div>Well, I guess I found the problem. man sssd-ldap says:</div><div><br></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><div> LDAP back end supports id, auth, access and chpass providers. If you want to authenticate against an LDAP server either TLS/SSL or LDAPS is required. sssd does not support authentication over an unencrypted channel. If the LDAP server is used only as an<span style="font-size: 12pt;"> identity provider, an encrypted channel is not needed. </span></div></blockquote><div><br></div><div>I'd been meaning to upgrade our LDAP--I suppose now I have the impetus to do it. </div><div><br></div><div>Scott</div><br><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Scott Plante" <splante@insightsys.com><br><b>To: </b>ale@ale.org<br><b>Sent: </b>Monday, June 24, 2013 12:21:36 PM<br><b>Subject: </b>[ale] ldap/nss/sssd login problems<br><br><style>p { margin: 0; }</style><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000"><font face="arial, helvetica, sans-serif" style="color: rgb(0, 0, 0); font-size: 12pt;">I just installed OpenSUSE 12.3 on my development machine. We had been using 11.3 and we authenticate via LDAP. I used YaST to set up the LDAP authentication settings. 12.3 uses the newish sssd which either wasn't available or at least we weren't using on 11.3.</font><div style="color: rgb(0, 0, 0); font-size: 12pt; font-family: arial, helvetica, sans-serif;"><br></div><div style="color: rgb(0, 0, 0); font-size: 12pt; font-family: arial, helvetica, sans-serif;">It is communicating with LDAP: I can see existing users, I can type these commands successfully:</div><div style="color: rgb(0, 0, 0); font-size: 12pt;"><div><font face="courier new, courier, monaco, monospace, sans-serif">guinness:/etc # id splante</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">uid=20008(splante) gid=20000 groups=20000</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">guinness:/etc # su - splante</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">splante@guinness:~> pwd</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">/home/splante</font></div></div><div style="color: rgb(0, 0, 0); font-size: 12pt; font-family: arial, helvetica, sans-serif;"><br></div><div style="color: rgb(0, 0, 0); font-size: 12pt; font-family: arial, helvetica, sans-serif;">However, if I "su" again as non-root where it needs to check the password, it fails. The splante user does not exist in /etc/passwd so the id command is definitely seeing ldap. I believe I have TLS/SSL turned off in the LDAP config, but I see this in /var/log/messages</div><div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">2013-06-24T12:07:33.671426-04:00 guinness sssd[be[default]]: Could not start TLS encryption. unsupported extended operation</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">2013-06-24T12:07:33.671640-04:00 guinness su: pam_sss(su:auth): authentication failure; logname=root uid=20008 euid=0 tty=pts/2 ruser=splante rhost= user=splante</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">2013-06-24T12:07:33.671990-04:00 guinness su: pam_sss(su:auth): received for user splante: 9 (Authentication service cannot retrieve authentication info)</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">2013-06-24T12:07:35.438192-04:00 guinness su: FAILED SU (to splante) root on /dev/pts/2</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">2013-06-24T12:07:38.439086-04:00 guinness su: pam_unix(su:session): session closed for user splante</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">2013-06-24T12:08:47.096406-04:00 guinness login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=splante</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">2013-06-24T12:08:47.268434-04:00 guinness sssd[be[default]]: Could not start TLS encryption. unsupported extended operation</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">2013-06-24T12:08:47.268693-04:00 guinness login: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=splante</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">2013-06-24T12:08:47.269044-04:00 guinness login: pam_sss(login:auth): received for user splante: 9 (Authentication service cannot retrieve authentication info)</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">2013-06-24T12:08:49.190951-04:00 guinness login: FAILED LOGIN 1 FROM tty1 FOR splante, Authentication service cannot retrieve authentication info</font></div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;">My ldap.conf, less comments and blanks, looks like this:</div></div><div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">guinness:/etc # grep -v "^#" /etc/ldap.conf|grep -v "^$"</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">base ou=People,dc=insightsys,dc=com</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">uri ldap://ldap.isint</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">rootbinddn cn=manager,dc=insightsys,dc=com</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">scope sub</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">bind_policy soft</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">pam_lookup_policy yes</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">pam_password md5</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">nss_initgroups_ignoreusers root,ldap</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">nss_schema rfc2307bis</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">nss_base_passwd ou=People,dc=insightsys,dc=com</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">nss_base_shadow ou=People,dc=insightsys,dc=com</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">nss_base_group ou=Group,dc=insightsys,dc=com</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">nss_map_attribute uniqueMember member</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">ssl no</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">ldap_version 3</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">pam_filter objectClass=posixAccount</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">tls_checkpeer no</font></div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;">And sssd.conf:</div></div><div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">guinness:/etc # grep -v "^#" /etc/sssd/sssd.conf|grep -v "^$"|grep -v "^;"</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">[sssd]</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">config_file_version = 2</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">services = nss,pam</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">domains = default</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">[nss]</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">filter_groups = root</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">filter_users = root</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">[pam]</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">[domain/default]</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">ldap_uri = ldap://ldap.isint</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">ldap_search_base = ou=People,dc=insightsys,dc=com</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">ldap_schema = rfc2307</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">id_provider = ldap</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">ldap_user_uuid = entryuuid</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">ldap_group_uuid = entryuuid</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">ldap_id_use_start_tls = False</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">ldap_tls_reqcert = never</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">enumerate = True</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">cache_credentials = False</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">chpass_provider = ldap</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">auth_provider = ldap</font></div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;">And nsswitch.conf:</div></div><div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">guinness:/etc # grep -v "^#" /etc/nsswitch.conf|grep -v "^$"</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">passwd: compat sss</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">group: files sss</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">hosts: files mdns4_minimal [NOTFOUND=return] dns</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">networks: files dns</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">services: files</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">protocols: files</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">rpc: files</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">ethers: files</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">netmasks: files</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">netgroup: files</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">publickey: files</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">bootparams: files</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">automount: files nis</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif" size="2">aliases: files</font></div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;"><br></div></div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;">Any ideas?</div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;">Thanks,</div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;">Scott</div></div><br>_______________________________________________<br>Ale mailing list<br>Ale@ale.org<br>http://mail.ale.org/mailman/listinfo/ale<br>See JOBS, ANNOUNCE and SCHOOLS lists at<br>http://mail.ale.org/mailman/listinfo<br></div><br></div></body></html>