<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000'><font face="arial, helvetica, sans-serif">For those that happen across this thread in the archives, and anyone else who cares, I was able to fix my login problem the other day by setting my nsswitch.conf like this:</font><div><div style="font-family: arial, helvetica, sans-serif;"><br></div><div><font face="courier new, courier, monaco, monospace, sans-serif">passwd: files ldap sss</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">group: files ldap sss</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">hosts: files mdns4_minimal [NOTFOUND=return] dns</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">networks: files dns</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">services: files ldap</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">protocols: files</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">rpc: files</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">ethers: files</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">netmasks: files</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">netgroup: files ldap</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">publickey: files</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">bootparams: files</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">automount: files </font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">aliases: files ldap</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">passwd_compat: ldap sss</font></div><div style="font-family: arial, helvetica, sans-serif;"><br></div><span style="font-family: arial, helvetica, sans-serif;">Neither ldap nor sss worked on their own, but it seems the sss worked for the account info, and the ldap worked for authentication. </span></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">Scott</font></div><div><font face="arial, helvetica, sans-serif"><br></font><hr id="zwchr" style="font-family: arial, helvetica, sans-serif;"><div style="font-family: Helvetica, Arial, sans-serif; color: rgb(0, 0, 0); font-weight: normal; font-style: normal; text-decoration: none; font-size: 12pt;"><b>From: </b>"Chuck Payne" <terrorpup@gmail.com><br><b>To: </b>"Atlanta Linux Enthusiasts" <ale@ale.org><br><b>Sent: </b>Tuesday, June 25, 2013 12:05:57 PM<br><b>Subject: </b>Re: [ale] ldap/nss/sssd login problems<br><br>Scott,<br><br>Your best going to post this on the forum and join the openSUSE maillist.<br><br>Pup<br><br>On Tue, Jun 25, 2013 at 11:39 AM, Scott Plante <splante@insightsys.com> wrote:<br>> Well, I guess I found the problem. man sssd-ldap says:<br>><br>> LDAP back end supports id, auth, access and chpass providers. If you<br>> want to authenticate against an LDAP server either TLS/SSL or LDAPS is<br>> required. sssd does not support authentication over an unencrypted channel.<br>> If the LDAP server is used only as an identity provider, an encrypted<br>> channel is not needed.<br>><br>><br>> I'd been meaning to upgrade our LDAP--I suppose now I have the impetus to do<br>> it.<br>><br>> Scott<br>><br>> ________________________________<br>> From: "Scott Plante" <splante@insightsys.com><br>> To: ale@ale.org<br>> Sent: Monday, June 24, 2013 12:21:36 PM<br>> Subject: [ale] ldap/nss/sssd login problems<br>><br>><br>> I just installed OpenSUSE 12.3 on my development machine. We had been using<br>> 11.3 and we authenticate via LDAP. I used YaST to set up the LDAP<br>> authentication settings. 12.3 uses the newish sssd which either wasn't<br>> available or at least we weren't using on 11.3.<br>><br>> It is communicating with LDAP: I can see existing users, I can type these<br>> commands successfully:<br>> guinness:/etc # id splante<br>> uid=20008(splante) gid=20000 groups=20000<br>> guinness:/etc # su - splante<br>> splante@guinness:~> pwd<br>> /home/splante<br>><br>> However, if I "su" again as non-root where it needs to check the password,<br>> it fails. The splante user does not exist in /etc/passwd so the id command<br>> is definitely seeing ldap. I believe I have TLS/SSL turned off in the LDAP<br>> config, but I see this in /var/log/messages<br>> 2013-06-24T12:07:33.671426-04:00 guinness sssd[be[default]]: Could not start<br>> TLS encryption. unsupported extended operation<br>> 2013-06-24T12:07:33.671640-04:00 guinness su: pam_sss(su:auth):<br>> authentication failure; logname=root uid=20008 euid=0 tty=pts/2<br>> ruser=splante rhost= user=splante<br>> 2013-06-24T12:07:33.671990-04:00 guinness su: pam_sss(su:auth): received for<br>> user splante: 9 (Authentication service cannot retrieve authentication info)<br>> 2013-06-24T12:07:35.438192-04:00 guinness su: FAILED SU (to splante) root on<br>> /dev/pts/2<br>> 2013-06-24T12:07:38.439086-04:00 guinness su: pam_unix(su:session): session<br>> closed for user splante<br>> 2013-06-24T12:08:47.096406-04:00 guinness login: pam_unix(login:auth):<br>> authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=<br>> user=splante<br>> 2013-06-24T12:08:47.268434-04:00 guinness sssd[be[default]]: Could not start<br>> TLS encryption. unsupported extended operation<br>> 2013-06-24T12:08:47.268693-04:00 guinness login: pam_sss(login:auth):<br>> authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=<br>> user=splante<br>> 2013-06-24T12:08:47.269044-04:00 guinness login: pam_sss(login:auth):<br>> received for user splante: 9 (Authentication service cannot retrieve<br>> authentication info)<br>> 2013-06-24T12:08:49.190951-04:00 guinness login: FAILED LOGIN 1 FROM tty1<br>> FOR splante, Authentication service cannot retrieve authentication info<br>><br>> My ldap.conf, less comments and blanks, looks like this:<br>> guinness:/etc # grep -v "^#" /etc/ldap.conf|grep -v "^$"<br>> base ou=People,dc=insightsys,dc=com<br>> uri ldap://ldap.isint<br>> rootbinddn cn=manager,dc=insightsys,dc=com<br>> scope sub<br>> bind_policy soft<br>> pam_lookup_policy yes<br>> pam_password md5<br>> nss_initgroups_ignoreusers root,ldap<br>> nss_schema rfc2307bis<br>> nss_base_passwd ou=People,dc=insightsys,dc=com<br>> nss_base_shadow ou=People,dc=insightsys,dc=com<br>> nss_base_group ou=Group,dc=insightsys,dc=com<br>> nss_map_attribute uniqueMember member<br>> ssl no<br>> ldap_version 3<br>> pam_filter objectClass=posixAccount<br>> tls_checkpeer no<br>><br>> And sssd.conf:<br>> guinness:/etc # grep -v "^#" /etc/sssd/sssd.conf|grep -v "^$"|grep -v "^;"<br>> [sssd]<br>> config_file_version = 2<br>> services = nss,pam<br>> domains = default<br>> [nss]<br>> filter_groups = root<br>> filter_users = root<br>> [pam]<br>> [domain/default]<br>> ldap_uri = ldap://ldap.isint<br>> ldap_search_base = ou=People,dc=insightsys,dc=com<br>> ldap_schema = rfc2307<br>> id_provider = ldap<br>> ldap_user_uuid = entryuuid<br>> ldap_group_uuid = entryuuid<br>> ldap_id_use_start_tls = False<br>> ldap_tls_reqcert = never<br>> enumerate = True<br>> cache_credentials = False<br>> chpass_provider = ldap<br>> auth_provider = ldap<br>><br>> And nsswitch.conf:<br>> guinness:/etc # grep -v "^#" /etc/nsswitch.conf|grep -v "^$"<br>> passwd: compat sss<br>> group: files sss<br>> hosts: files mdns4_minimal [NOTFOUND=return] dns<br>> networks: files dns<br>> services: files<br>> protocols: files<br>> rpc: files<br>> ethers: files<br>> netmasks: files<br>> netgroup: files<br>> publickey: files<br>> bootparams: files<br>> automount: files nis<br>> aliases: files<br>><br>> Any ideas?<br>><br>> Thanks,<br>> Scott<br>><br>> _______________________________________________<br>> Ale mailing list<br>> Ale@ale.org<br>> http://mail.ale.org/mailman/listinfo/ale<br>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>> http://mail.ale.org/mailman/listinfo<br>><br>><br>> _______________________________________________<br>> Ale mailing list<br>> Ale@ale.org<br>> http://mail.ale.org/mailman/listinfo/ale<br>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>> http://mail.ale.org/mailman/listinfo<br>><br><br><br><br>--<br>Terror PUP a.k.a<br>Chuck "PUP" Payne<br><br>(678) 636-9678<br>-----------------------------------------<br>Discover it! Enjoy it! Share it! openSUSE Linux.<br>-----------------------------------------<br>openSUSE -- en.opensuse.org/User:Terrorpup<br>openSUSE Ambassador/openSUSE Member/Local Coorintor<br>Community Manager -- Southeast Linux Foundation (SELF)<br>skype,twiiter,identica,friendfeed -- terrorpup<br>freenode(irc) --terrorpup/lupinstein<br>Register Linux Userid: 155363<br><br>Have you tried SUSE Studio? Need to create a Live CD, an app you want<br>to package and distribute , or create your own linux distro. Give SUSE<br>Studio a try. www.susestudio.com.<br>See you at Southeast Linux Fest, June 7-9, 2013 in Charlotte, NC.<br>www.southeastlinuxfest.org<br>_______________________________________________<br>Ale mailing list<br>Ale@ale.org<br>http://mail.ale.org/mailman/listinfo/ale<br>See JOBS, ANNOUNCE and SCHOOLS lists at<br>http://mail.ale.org/mailman/listinfo<br></div><br></div></div></body></html>