| Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
02-16-2011, 10:16 PM
|
#1
|
|
LQ Newbie
Registered: Feb 2011
Posts: 3
Rep: 
|
sshd with sssd help needed
I hope that this is the correct forum to post this question.
I've configured sssd for ldap/kerberos authentication on an RHEL6 machine. This is working fine when a user authenticates to tty but when attempting to authenticate through ssh I just get an "Access Denied." However, local accounts can login and authenticate through ssh. Also, getent passwd account name returns the proper values from the ldap server.
I believe that the issue is when the sshd calls PAM for authentication but can't seem to find where the breakdown is occurring? And yes, I did make sure that /etc/ssh/sshd_config has UsePAM set to yes.
I've looked through all the logs and don't see anything obvious. Has anyone seen this or does anyone have any suggestions on where to look?
Thank you in advance.
-Aaron
|
|
|
|
|
02-17-2011, 04:12 AM
|
#2
|
|
Member
Registered: Oct 2009
Location: Amsterdam
Distribution: CentOS,Fedora,Puppy
Posts: 62
Rep: 
|
ssh -vvvv to be very verbose should give you more information
|
|
|
1 members found this post helpful.
|
|
02-17-2011, 06:23 PM
|
#3
|
|
Senior Member
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 5.0(Lenny), Vista, XP , WIN7, Server 03/08
Posts: 1,270
Rep:
|
There aren't any restrictions on who can log in in the configuration is there? If you disable local account authentication and only have PAM can you log in then with an LDAP account.
|
|
|
|
|
02-18-2011, 10:41 AM
|
#4
|
|
LQ Newbie
Registered: Feb 2011
Posts: 3
Original Poster
Rep:
|
Thanks for the reply scheidel21.
There aren't any restrictions on who can log in that I'm aware of through sshd... where would I check other than the /etc/ssh/sshd.conf file?
If I disable local authentication I can still log in to the console with the LDAP users but can't log in through SSH.
@thegeek
Thanks for the reply... I've tried connecting with ssh -vvvvv and there isn't anything obvious shown. The LDAP look up seems to occur and find the account but the password comes back as incorrect and access is denied.
-Aaron
|
|
|
|
|
02-18-2011, 09:17 PM
|
#5
|
|
Senior Member
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 5.0(Lenny), Vista, XP , WIN7, Server 03/08
Posts: 1,270
Rep:
|
Is the LDAP authentication for Active Directory in a Windows environment?
|
|
|
|
|
03-07-2011, 08:27 PM
|
#6
|
|
LQ Newbie
Registered: Mar 2011
Posts: 26
Rep:
|
There are a couple things you should check. The first would be to examine /var/log/secure for activity while attempting to log in via SSH to an LDAP user. This will tell you if you're getting denied by pam_sss.so (or if pam_sss.so is returning an internal error).
If you're getting a denial or error from pam_sss.so, you probably want to turn on debug logging in /etc/sssd/sssd.conf by setting 'debug_level = 6' in the [domain/<domainname>] section. This will log to /var/log/sssd/sssd_<domainname>.log. Check this output for any problems (you can turn the debug level up to as high as 9, but it gets noisy).
Also, when you said logging into tty works, did you mean that literally, or did you mean GDM? If the latter, you may need to check whether /etc/pam.d/system-auth AND /etc/pam.d/password-auth mentions pam_sss.so.
If this doesn't help, or your look at the logs turns up an issue, please subscribe to https://fedorahosted.org/mailman/listinfo/sssd-devel and ask for help there.
--
Stephen Gallagher
Lead Developer, System Security Services Daemon |
|
|
|
|
03-10-2011, 11:00 AM
|
#7
|
|
LQ Newbie
Registered: Feb 2011
Posts: 3
Original Poster
Rep:
|
Thanks for the replies.
Yes, the backend LDAP server is a Windows AD server.
I had looked through all of the /var/log/secure entries and /var/log/sssd entries, but did find anything useful in there to indicate where the issue was.
The issue ended up being that I was unaware RHEL6 doesn't only use /etc/pam.d/system-auth-ac but also /etc/pam.d/password-auth-ac for the ssh connection. Once I added the pam_sss.so entries into password-auth-ac the authentication worked both on the console and also remotely through SSH.
This thread can be closed.
Thanks,
Aaron
|
|
|
|
|
11-15-2012, 11:52 PM
|
#8
|
|
LQ Newbie
Registered: Nov 2012
Posts: 15
Rep: 
|
Hi Aaron,Stephen
I am facing the same issue. But I cant get any output on the getent command. I have my ldap searches working fine. Followed all steps in the Red Hat ref arch guide regarding SSSD/Kerberos/LDAP setup.
This is the entry in the var/log/secure :
Code:
Nov 15 23:31:38 ip-10-0-5-51 sshd[12410]: Invalid user test_user from 10.0.5.51
Nov 15 23:31:38 ip-10-0-5-51 sshd[12411]: input_userauth_request: invalid user test_user
Nov 15 23:31:43 ip-10-0-5-51 sshd[12410]: pam_unix(sshd:auth): check pass; user unknown
Nov 15 23:31:43 ip-10-0-5-51 sshd[12410]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.5.51
Nov 15 23:31:43 ip-10-0-5-51 sshd[12410]: pam_succeed_if(sshd:auth): error retrieving information about user test_user
Nov 15 23:31:45 ip-10-0-5-51 sshd[12410]: Failed password for invalid user test_user from 10.0.5.51 port 41190 ssh2
Nov 15 23:31:48 ip-10-0-5-51 sshd[12411]: Connection closed by 10.0.5.51
Nov 15 23:31:59 ip-10-0-5-51 sshd[12414]: Invalid user test1 from 10.0.5.51
Nov 15 23:31:59 ip-10-0-5-51 sshd[12415]: input_userauth_request: invalid user test1
Nov 15 23:32:03 ip-10-0-5-51 sshd[12414]: pam_unix(sshd:auth): check pass; user unknown
Nov 15 23:32:03 ip-10-0-5-51 sshd[12414]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.5.51
Nov 15 23:32:03 ip-10-0-5-51 sshd[12414]: pam_succeed_if(sshd:auth): error retrieving information about user test1
Nov 15 23:32:05 ip-10-0-5-51 sshd[12414]: Failed password for invalid user test1 from 10.0.5.51 port 41192 ssh2
Nov 15 23:32:07 ip-10-0-5-51 sshd[12415]: Connection closed by 10.0.5.51
Can anybody help getting a valid ouptut on the getent command ? |
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 03:36 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
