[ale] ldap/nss/sssd login problems

Scott Plante splante at insightsys.com
Fri Jun 28 14:58:01 EDT 2013 

For those that happen across this thread in the archives, and anyone else who cares, I was able to fix my login problem the other day by setting my nsswitch.conf like this: 



passwd: files ldap sss 
group: files ldap sss 
hosts: files mdns4_minimal [NOTFOUND=return] dns 
networks: files dns 
services: files ldap 
protocols: files 
rpc: files 
ethers: files 
netmasks: files 
netgroup: files ldap 
publickey: files 
bootparams: files 
automount: files 
aliases: files ldap 
passwd_compat: ldap sss 

Neither ldap nor sss worked on their own, but it seems the sss worked for the account info, and the ldap worked for authentication. 


Scott 

----- Original Message -----

From: "Chuck Payne" <terrorpup at gmail.com> 
To: "Atlanta Linux Enthusiasts" <ale at ale.org> 
Sent: Tuesday, June 25, 2013 12:05:57 PM 
Subject: Re: [ale] ldap/nss/sssd login problems 

Scott, 

Your best going to post this on the forum and join the openSUSE maillist. 

Pup 

On Tue, Jun 25, 2013 at 11:39 AM, Scott Plante <splante at insightsys.com> wrote: 
> Well, I guess I found the problem. man sssd-ldap says: 
> 
> LDAP back end supports id, auth, access and chpass providers. If you 
> want to authenticate against an LDAP server either TLS/SSL or LDAPS is 
> required. sssd does not support authentication over an unencrypted channel. 
> If the LDAP server is used only as an identity provider, an encrypted 
> channel is not needed. 
> 
> 
> I'd been meaning to upgrade our LDAP--I suppose now I have the impetus to do 
> it. 
> 
> Scott 
> 
> ________________________________ 
> From: "Scott Plante" <splante at insightsys.com> 
> To: ale at ale.org 
> Sent: Monday, June 24, 2013 12:21:36 PM 
> Subject: [ale] ldap/nss/sssd login problems 
> 
> 
> I just installed OpenSUSE 12.3 on my development machine. We had been using 
> 11.3 and we authenticate via LDAP. I used YaST to set up the LDAP 
> authentication settings. 12.3 uses the newish sssd which either wasn't 
> available or at least we weren't using on 11.3. 
> 
> It is communicating with LDAP: I can see existing users, I can type these 
> commands successfully: 
> guinness:/etc # id splante 
> uid=20008(splante) gid=20000 groups=20000 
> guinness:/etc # su - splante 
> splante at guinness:~> pwd 
> /home/splante 
> 
> However, if I "su" again as non-root where it needs to check the password, 
> it fails. The splante user does not exist in /etc/passwd so the id command 
> is definitely seeing ldap. I believe I have TLS/SSL turned off in the LDAP 
> config, but I see this in /var/log/messages 
> 2013-06-24T12:07:33.671426-04:00 guinness sssd[be[default]]: Could not start 
> TLS encryption. unsupported extended operation 
> 2013-06-24T12:07:33.671640-04:00 guinness su: pam_sss(su:auth): 
> authentication failure; logname=root uid=20008 euid=0 tty=pts/2 
> ruser=splante rhost= user=splante 
> 2013-06-24T12:07:33.671990-04:00 guinness su: pam_sss(su:auth): received for 
> user splante: 9 (Authentication service cannot retrieve authentication info) 
> 2013-06-24T12:07:35.438192-04:00 guinness su: FAILED SU (to splante) root on 
> /dev/pts/2 
> 2013-06-24T12:07:38.439086-04:00 guinness su: pam_unix(su:session): session 
> closed for user splante 
> 2013-06-24T12:08:47.096406-04:00 guinness login: pam_unix(login:auth): 
> authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= 
> user=splante 
> 2013-06-24T12:08:47.268434-04:00 guinness sssd[be[default]]: Could not start 
> TLS encryption. unsupported extended operation 
> 2013-06-24T12:08:47.268693-04:00 guinness login: pam_sss(login:auth): 
> authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= 
> user=splante 
> 2013-06-24T12:08:47.269044-04:00 guinness login: pam_sss(login:auth): 
> received for user splante: 9 (Authentication service cannot retrieve 
> authentication info) 
> 2013-06-24T12:08:49.190951-04:00 guinness login: FAILED LOGIN 1 FROM tty1 
> FOR splante, Authentication service cannot retrieve authentication info 
> 
> My ldap.conf, less comments and blanks, looks like this: 
> guinness:/etc # grep -v "^#" /etc/ldap.conf|grep -v "^$" 
> base ou=People,dc=insightsys,dc=com 
> uri ldap://ldap.isint 
> rootbinddn cn=manager,dc=insightsys,dc=com 
> scope sub 
> bind_policy soft 
> pam_lookup_policy yes 
> pam_password md5 
> nss_initgroups_ignoreusers root,ldap 
> nss_schema rfc2307bis 
> nss_base_passwd ou=People,dc=insightsys,dc=com 
> nss_base_shadow ou=People,dc=insightsys,dc=com 
> nss_base_group ou=Group,dc=insightsys,dc=com 
> nss_map_attribute uniqueMember member 
> ssl no 
> ldap_version 3 
> pam_filter objectClass=posixAccount 
> tls_checkpeer no 
> 
> And sssd.conf: 
> guinness:/etc # grep -v "^#" /etc/sssd/sssd.conf|grep -v "^$"|grep -v "^;" 
> [sssd] 
> config_file_version = 2 
> services = nss,pam 
> domains = default 
> [nss] 
> filter_groups = root 
> filter_users = root 
> [pam] 
> [domain/default] 
> ldap_uri = ldap://ldap.isint 
> ldap_search_base = ou=People,dc=insightsys,dc=com 
> ldap_schema = rfc2307 
> id_provider = ldap 
> ldap_user_uuid = entryuuid 
> ldap_group_uuid = entryuuid 
> ldap_id_use_start_tls = False 
> ldap_tls_reqcert = never 
> enumerate = True 
> cache_credentials = False 
> chpass_provider = ldap 
> auth_provider = ldap 
> 
> And nsswitch.conf: 
> guinness:/etc # grep -v "^#" /etc/nsswitch.conf|grep -v "^$" 
> passwd: compat sss 
> group: files sss 
> hosts: files mdns4_minimal [NOTFOUND=return] dns 
> networks: files dns 
> services: files 
> protocols: files 
> rpc: files 
> ethers: files 
> netmasks: files 
> netgroup: files 
> publickey: files 
> bootparams: files 
> automount: files nis 
> aliases: files 
> 
> Any ideas? 
> 
> Thanks, 
> Scott 
> 
> _______________________________________________ 
> Ale mailing list 
> Ale at ale.org 
> http://mail.ale.org/mailman/listinfo/ale 
> See JOBS, ANNOUNCE and SCHOOLS lists at 
> http://mail.ale.org/mailman/listinfo 
> 
> 
> _______________________________________________ 
> Ale mailing list 
> Ale at ale.org 
> http://mail.ale.org/mailman/listinfo/ale 
> See JOBS, ANNOUNCE and SCHOOLS lists at 
> http://mail.ale.org/mailman/listinfo 
> 



-- 
Terror PUP a.k.a 
Chuck "PUP" Payne 

(678) 636-9678 
----------------------------------------- 
Discover it! Enjoy it! Share it! openSUSE Linux. 
----------------------------------------- 
openSUSE -- en.opensuse.org/User:Terrorpup 
openSUSE Ambassador/openSUSE Member/Local Coorintor 
Community Manager -- Southeast Linux Foundation (SELF) 
skype,twiiter,identica,friendfeed -- terrorpup 
freenode(irc) --terrorpup/lupinstein 
Register Linux Userid: 155363 

Have you tried SUSE Studio? Need to create a Live CD, an app you want 
to package and distribute , or create your own linux distro. Give SUSE 
Studio a try. www.susestudio.com. 
See you at Southeast Linux Fest, June 7-9, 2013 in Charlotte, NC. 
www.southeastlinuxfest.org 
_______________________________________________ 
Ale mailing list 
Ale at ale.org 
http://mail.ale.org/mailman/listinfo/ale 
See JOBS, ANNOUNCE and SCHOOLS lists at 
http://mail.ale.org/mailman/listinfo 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130628/a529178c/attachment-0001.html>

More information about the Ale mailing list