[ale] ldap/nss/sssd login problems
Scott Plante
splante at insightsys.com
Fri Jun 28 14:58:01 EDT 2013
For those that happen across this thread in the archives, and anyone else who cares, I was able to fix my login problem the other day by setting my nsswitch.conf like this:
passwd: files ldap sss
group: files ldap sss
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files dns
services: files ldap
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files ldap
publickey: files
bootparams: files
automount: files
aliases: files ldap
passwd_compat: ldap sss
Neither ldap nor sss worked on their own, but it seems the sss worked for the account info, and the ldap worked for authentication.
Scott
----- Original Message -----
From: "Chuck Payne" <terrorpup at gmail.com>
To: "Atlanta Linux Enthusiasts" <ale at ale.org>
Sent: Tuesday, June 25, 2013 12:05:57 PM
Subject: Re: [ale] ldap/nss/sssd login problems
Scott,
Your best going to post this on the forum and join the openSUSE maillist.
Pup
On Tue, Jun 25, 2013 at 11:39 AM, Scott Plante <splante at insightsys.com> wrote:
> Well, I guess I found the problem. man sssd-ldap says:
>
> LDAP back end supports id, auth, access and chpass providers. If you
> want to authenticate against an LDAP server either TLS/SSL or LDAPS is
> required. sssd does not support authentication over an unencrypted channel.
> If the LDAP server is used only as an identity provider, an encrypted
> channel is not needed.
>
>
> I'd been meaning to upgrade our LDAP--I suppose now I have the impetus to do
> it.
>
> Scott
>
> ________________________________
> From: "Scott Plante" <splante at insightsys.com>
> To: ale at ale.org
> Sent: Monday, June 24, 2013 12:21:36 PM
> Subject: [ale] ldap/nss/sssd login problems
>
>
> I just installed OpenSUSE 12.3 on my development machine. We had been using
> 11.3 and we authenticate via LDAP. I used YaST to set up the LDAP
> authentication settings. 12.3 uses the newish sssd which either wasn't
> available or at least we weren't using on 11.3.
>
> It is communicating with LDAP: I can see existing users, I can type these
> commands successfully:
> guinness:/etc # id splante
> uid=20008(splante) gid=20000 groups=20000
> guinness:/etc # su - splante
> splante at guinness:~> pwd
> /home/splante
>
> However, if I "su" again as non-root where it needs to check the password,
> it fails. The splante user does not exist in /etc/passwd so the id command
> is definitely seeing ldap. I believe I have TLS/SSL turned off in the LDAP
> config, but I see this in /var/log/messages
> 2013-06-24T12:07:33.671426-04:00 guinness sssd[be[default]]: Could not start
> TLS encryption. unsupported extended operation
> 2013-06-24T12:07:33.671640-04:00 guinness su: pam_sss(su:auth):
> authentication failure; logname=root uid=20008 euid=0 tty=pts/2
> ruser=splante rhost= user=splante
> 2013-06-24T12:07:33.671990-04:00 guinness su: pam_sss(su:auth): received for
> user splante: 9 (Authentication service cannot retrieve authentication info)
> 2013-06-24T12:07:35.438192-04:00 guinness su: FAILED SU (to splante) root on
> /dev/pts/2
> 2013-06-24T12:07:38.439086-04:00 guinness su: pam_unix(su:session): session
> closed for user splante
> 2013-06-24T12:08:47.096406-04:00 guinness login: pam_unix(login:auth):
> authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
> user=splante
> 2013-06-24T12:08:47.268434-04:00 guinness sssd[be[default]]: Could not start
> TLS encryption. unsupported extended operation
> 2013-06-24T12:08:47.268693-04:00 guinness login: pam_sss(login:auth):
> authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
> user=splante
> 2013-06-24T12:08:47.269044-04:00 guinness login: pam_sss(login:auth):
> received for user splante: 9 (Authentication service cannot retrieve
> authentication info)
> 2013-06-24T12:08:49.190951-04:00 guinness login: FAILED LOGIN 1 FROM tty1
> FOR splante, Authentication service cannot retrieve authentication info
>
> My ldap.conf, less comments and blanks, looks like this:
> guinness:/etc # grep -v "^#" /etc/ldap.conf|grep -v "^$"
> base ou=People,dc=insightsys,dc=com
> uri ldap://ldap.isint
> rootbinddn cn=manager,dc=insightsys,dc=com
> scope sub
> bind_policy soft
> pam_lookup_policy yes
> pam_password md5
> nss_initgroups_ignoreusers root,ldap
> nss_schema rfc2307bis
> nss_base_passwd ou=People,dc=insightsys,dc=com
> nss_base_shadow ou=People,dc=insightsys,dc=com
> nss_base_group ou=Group,dc=insightsys,dc=com
> nss_map_attribute uniqueMember member
> ssl no
> ldap_version 3
> pam_filter objectClass=posixAccount
> tls_checkpeer no
>
> And sssd.conf:
> guinness:/etc # grep -v "^#" /etc/sssd/sssd.conf|grep -v "^$"|grep -v "^;"
> [sssd]
> config_file_version = 2
> services = nss,pam
> domains = default
> [nss]
> filter_groups = root
> filter_users = root
> [pam]
> [domain/default]
> ldap_uri = ldap://ldap.isint
> ldap_search_base = ou=People,dc=insightsys,dc=com
> ldap_schema = rfc2307
> id_provider = ldap
> ldap_user_uuid = entryuuid
> ldap_group_uuid = entryuuid
> ldap_id_use_start_tls = False
> ldap_tls_reqcert = never
> enumerate = True
> cache_credentials = False
> chpass_provider = ldap
> auth_provider = ldap
>
> And nsswitch.conf:
> guinness:/etc # grep -v "^#" /etc/nsswitch.conf|grep -v "^$"
> passwd: compat sss
> group: files sss
> hosts: files mdns4_minimal [NOTFOUND=return] dns
> networks: files dns
> services: files
> protocols: files
> rpc: files
> ethers: files
> netmasks: files
> netgroup: files
> publickey: files
> bootparams: files
> automount: files nis
> aliases: files
>
> Any ideas?
>
> Thanks,
> Scott
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
--
Terror PUP a.k.a
Chuck "PUP" Payne
(678) 636-9678
-----------------------------------------
Discover it! Enjoy it! Share it! openSUSE Linux.
-----------------------------------------
openSUSE -- en.opensuse.org/User:Terrorpup
openSUSE Ambassador/openSUSE Member/Local Coorintor
Community Manager -- Southeast Linux Foundation (SELF)
skype,twiiter,identica,friendfeed -- terrorpup
freenode(irc) --terrorpup/lupinstein
Register Linux Userid: 155363
Have you tried SUSE Studio? Need to create a Live CD, an app you want
to package and distribute , or create your own linux distro. Give SUSE
Studio a try. www.susestudio.com.
See you at Southeast Linux Fest, June 7-9, 2013 in Charlotte, NC.
www.southeastlinuxfest.org
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130628/a529178c/attachment-0001.html>
More information about the Ale
mailing list