LDAP authentication failing on RHEL 6.2

abhisheks77 · 09-17-2017, 02:59 AM

Hello,

This is new server with RHEL 6.2. Except root, all users are supposed to be authenticated by LDAP

I made required changed on Master LDAP server and with authconfig and authconfig-tui command, I am able to join this host to LDAP server. I can do "id -a user" and get information of user and also, "ldapsearch -x" returns all output of accounts and hosts.

But even after, everything looks ok, login authentication is failing. Right now, Password Hashing Alogorithm is MD5. I tried changing it is SHA256 and SHA512, but no luck. Here are output of required files and logs. I am not getting any idea, where it is failing, or there is something specific to RHEL 6.2

Code:

[root@server01 ~]# cat /etc/ldap.conf
base dc=xyxyxy,dc=com
uri ldap://// ldap://wks1.clc.xyxyxy.com/
ssl no
tls_cacertfile /etc/ldap.crt

rootbinddn cn=server01,ou=Hosts,dc=ng,dc=nct,dc=org
bind_timelimit 5
bind_policy soft
timelimit 3
idle_timelimit 3600

pam_password md5
pam_filter objectclass=posixAccount

nss_base_passwd        ou=People,?one?isMemberOf=cn=server01,ou=Hosts,dc=ng,dc=nct,dc=org
nss_base_shadow        ou=People,?one?isMemberOf=cn=server01,ou=Hosts,dc=ng,dc=nct,dc=org
nss_base_group         ou=Group,?one
nss_base_netgroup      ou=Netgroup,?one
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
## sudoer-specific settings
sudoers_base   ou=sudoers,dc=xyxyxy,dc=com
sudoers_timed  false
sudoers_debug  0
tls_cacertdir /etc/openldap/cacerts
[root@server01 ~]#

[root@server01 ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
[root@server01 ~]#

[root@server01 ~]# cat /etc/nsswitch.conf | grep -v "#"


passwd:     files ldap
group:      files ldap
shadow:     files ldap

hosts:      files dns


bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   ldap

publickey:  nisplus

automount:  files
aliases:    files nisplus

sudoers:    ldap
[root@server01 ~]#

[root@server01 ~]# cat /etc/sssd/sssd.conf | grep -v "#"
[sssd]
config_file_version = 2
services = nss, pam

domains = default
[nss]

[pam]


[domain/default]
auth_provider = ldap
krb5_realm = EXAMPLE.COM
ldap_search_base = dc=xyxyxy,dc=com
id_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
ldap_uri = ldap:////,ldap://wks1.clc.xyxyxy.com/
krb5_kdcip = kerberos.example.com
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts

[root@server01 ~]#

[root@ngnct-arl-tdrdb2 ~]# cat /etc/sssd/sssd.conf | grep -v "#"
[sssd]
config_file_version = 2
services = nss, pam

domains = default
[nss]

[pam]


[domain/default]
auth_provider = ldap
krb5_realm = EXAMPLE.COM
ldap_search_base = dc=xyxyxy,dc=com
id_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
ldap_uri = ldap://// ldap://wks1.clc.xypoint.com/
krb5_kdcip = kerberos.example.com
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts

[root@server01 ~]#

From /var/log/secure -

Sep 16 14:25:47 server01 sshd[3082]: reverse mapping checking getaddrinfo for msag-w1.mosetp.com [192.168.69.21] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 16 14:25:52 server01 unix_chkpwd[3084]: password check failed for user (lucas)
Sep 16 14:25:52 server01 sshd[3082]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.69.21  user=lucas
Sep 16 14:25:52 server01 sshd[3082]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.69.21 user=lucas
Sep 16 14:25:52 server01 sshd[3082]: pam_sss(sshd:auth): received for user lucas: 10 (User not known to the underlying authentication module)
Sep 16 14:25:54 server01 sshd[3082]: Failed password for lucas from 192.168.69.21 port 57241 ssh2

On LDAP server side -

# server01, profile, xyxyxy.com
dn: cn=server01,ou=profile,dc=xyxyxy,dc=com
objectClass: top
objectClass: DUAConfigProfile
defaultSearchBase: dc=xyxyxy,dc=com
cn: server01
preferredServerList: wks1.ccc.xyxyxy.com
searchTimeLimit: 30
defaultSearchScope: one
bindTimeLimit: 10
followReferrals: TRUE
serviceSearchDescriptor: group:ou=Group,?one?
serviceSearchDescriptor: shadow:ou=People,?one?
serviceSearchDescriptor: netgroup:ou=netgroup,?one?
serviceSearchDescriptor: sudoers:ou=sudoers,?one?
serviceSearchDescriptor: user_attr:ou=People,?one?
serviceSearchDescriptor: passwd:ou=People,?one?isMemberOf=cn=server01,
 ou=Hosts,dc=ccc,dc=xyxyxy,dc=com
authenticationMethod: tls:simple
credentialLevel: proxy

TB0ne · 09-18-2017, 12:00 PM

Quote:

Originally Posted by abhisheks77

Hello,
This is new server with RHEL 6.2. Except root, all users are supposed to be authenticated by LDAP I made required changed on Master LDAP server and with authconfig and authconfig-tui command, I am able to join this host to LDAP server. I can do "id -a user" and get information of user and also, "ldapsearch -x" returns all output of accounts and hosts.

But even after, everything looks ok, login authentication is failing. Right now, Password Hashing Alogorithm is MD5. I tried changing it is SHA256 and SHA512, but no luck. Here are output of required files and logs. I am not getting any idea, where it is failing, or there is something specific to RHEL 6.2

Code:

[root@server01 ~]# cat /etc/ldap.conf
base dc=xyxyxy,dc=com
uri ldap://// ldap://wks1.clc.xyxyxy.com/
ssl no
tls_cacertfile /etc/ldap.crt

rootbinddn cn=server01,ou=Hosts,dc=ng,dc=nct,dc=org
bind_timelimit 5
bind_policy soft
timelimit 3
idle_timelimit 3600

pam_password md5
pam_filter objectclass=posixAccount

nss_base_passwd        ou=People,?one?isMemberOf=cn=server01,ou=Hosts,dc=ng,dc=nct,dc=org
nss_base_shadow        ou=People,?one?isMemberOf=cn=server01,ou=Hosts,dc=ng,dc=nct,dc=org
nss_base_group         ou=Group,?one
nss_base_netgroup      ou=Netgroup,?one
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
## sudoer-specific settings
sudoers_base   ou=sudoers,dc=xyxyxy,dc=com
sudoers_timed  false
sudoers_debug  0
tls_cacertdir /etc/openldap/cacerts
[root@server01 ~]#

[root@server01 ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
[root@server01 ~]#

[root@server01 ~]# cat /etc/nsswitch.conf | grep -v "#"


passwd:     files ldap
group:      files ldap
shadow:     files ldap

hosts:      files dns


bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   ldap

publickey:  nisplus

automount:  files
aliases:    files nisplus

sudoers:    ldap
[root@server01 ~]#

[root@server01 ~]# cat /etc/sssd/sssd.conf | grep -v "#"
[sssd]
config_file_version = 2
services = nss, pam

domains = default
[nss]

[pam]


[domain/default]
auth_provider = ldap
krb5_realm = EXAMPLE.COM
ldap_search_base = dc=xyxyxy,dc=com
id_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
ldap_uri = ldap:////,ldap://wks1.clc.xyxyxy.com/
krb5_kdcip = kerberos.example.com
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts

[root@server01 ~]#

[root@ngnct-arl-tdrdb2 ~]# cat /etc/sssd/sssd.conf | grep -v "#"
[sssd]
config_file_version = 2
services = nss, pam

domains = default
[nss]

[pam]


[domain/default]
auth_provider = ldap
krb5_realm = EXAMPLE.COM
ldap_search_base = dc=xyxyxy,dc=com
id_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
ldap_uri = ldap://// ldap://wks1.clc.xypoint.com/
krb5_kdcip = kerberos.example.com
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts

[root@server01 ~]#

From /var/log/secure -

Sep 16 14:25:47 server01 sshd[3082]: reverse mapping checking getaddrinfo for msag-w1.mosetp.com [192.168.69.21] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 16 14:25:52 server01 unix_chkpwd[3084]: password check failed for user (lucas)
Sep 16 14:25:52 server01 sshd[3082]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.69.21  user=lucas
Sep 16 14:25:52 server01 sshd[3082]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.69.21 user=lucas
Sep 16 14:25:52 server01 sshd[3082]: pam_sss(sshd:auth): received for user lucas: 10 (User not known to the underlying authentication module)
Sep 16 14:25:54 server01 sshd[3082]: Failed password for lucas from 192.168.69.21 port 57241 ssh2

On LDAP server side -

# server01, profile, xyxyxy.com
dn: cn=server01,ou=profile,dc=xyxyxy,dc=com
objectClass: top
objectClass: DUAConfigProfile
defaultSearchBase: dc=xyxyxy,dc=com
cn: server01
preferredServerList: wks1.ccc.xyxyxy.com
searchTimeLimit: 30
defaultSearchScope: one
bindTimeLimit: 10
followReferrals: TRUE
serviceSearchDescriptor: group:ou=Group,?one?
serviceSearchDescriptor: shadow:ou=People,?one?
serviceSearchDescriptor: netgroup:ou=netgroup,?one?
serviceSearchDescriptor: sudoers:ou=sudoers,?one?
serviceSearchDescriptor: user_attr:ou=People,?one?
serviceSearchDescriptor: passwd:ou=People,?one?isMemberOf=cn=server01,
 ou=Hosts,dc=ccc,dc=xyxyxy,dc=com
authenticationMethod: tls:simple
credentialLevel: proxy

First, have you contacted RHEL support? 6.2 is a supported version...using the RHEL support you're paying for (RIGHT?) is the best/quickest way to get this solved. Also, have you applied any patches from the RHEL network yet? If this is new 6.2, there are probably many things that need to be updated/patched/fixed before you can just use the server...again, without RHEL support you won't get these things.

And based on the error message, it would appear that DNS isn't resolving correctly. Have you checked things out there?

abhisheks77 · 09-18-2017, 12:06 PM

Unfortunately, we have RHEL support, but not for this one.
I have not applied any patches yet. I just downloaded iso, build server and installed required ldap rpms.
/etc/resolv.conf is correct and able to resolve LDAP master, so I can do ldapsearch and get query result

TB0ne · 09-18-2017, 01:10 PM

Quote:

Originally Posted by abhisheks77

Unfortunately, we have RHEL support, but not for this one.

That's not a problem...contact RHEL and they'll be happy to get this server under support. No reason not to.

Quote:

I have not applied any patches yet. I just downloaded iso, build server and installed required ldap rpms.

...and you WILL NOT apply any patches without a valid RHEL subscription. You can't get the Red Hat network to work without it, so go back and get support for the RHEL servers you're using, or load CentOS instead.

Quote:

/etc/resolv.conf is correct and able to resolve LDAP master, so I can do ldapsearch and get query result

The LDAP master isn't the issue....are you able to resolve ALL of the servers and machines? Did you read/understand this message that you posted?

Quote:

Originally Posted by abhisheks77

reverse mapping checking getaddrinfo for msag-w1.mosetp.com [192.168.69.21] failed

You have a bad DNS entry somewhere for that address.

abhisheks77 · 09-18-2017, 01:56 PM

We have support for physical servers, but this is on VMware, which requires bigger process for support and it is in progress.
So we have valid RHEL subscription, but not sure, what patches we are supposed to apply on this, which can fix this issue.

192.168.69.21 is IP address of my laptop from where I am trying to establish connection with putty. If I compare output of /var/log/secure from working (5.9) vs non-working (6.2) server, I can see below logs.

Working -

Code:

Sep 18 18:26:36 server02 sshd[3262]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.69.21  user=lucas
Sep 18 18:26:36 server02 sshd[3262]: Accepted password for lucas from 192.168.69.21 port 58300 ssh2
Sep 18 18:26:36 server02 sshd[3262]: pam_unix(sshd:session): session opened for user lucas by (uid=0)
Sep 18 18:26:48 server02 sshd[3262]: pam_unix(sshd:session): session closed for user lucas

Non-working -

Code:

Sep 18 11:05:41 server01 sshd[2142]: reverse mapping checking getaddrinfo for msag-w1.mosetp.com [192.168.69.21] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 18 11:05:45 server01 unix_chkpwd[2145]: password check failed for user (lucas)
Sep 18 11:05:45 server01 sshd[2142]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.69.21  user=lucas
Sep 18 11:05:46 server01 sshd[2142]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.69.21 user=lucas
Sep 18 11:05:46 server01 sshd[2142]: pam_sss(sshd:auth): received for user lucas: 10 (User not known to the underlying authentication module)
Sep 18 11:05:47 server01 sshd[2142]: Failed password for lucas from 192.168.69.21 port 52972 ssh2
Sep 18 11:05:51 server01 sshd[2143]: Received disconnect from 192.168.69.21: 13: Unable to authenticate

/etc/resolv.conf, /etc/nsswitch.conf and /etc/hosts are having similar entries in both servers. I don't see that reverse mapping and unix_chkpwd error in working logs.

TB0ne · 09-18-2017, 02:40 PM

Quote:

Originally Posted by abhisheks77

We have support for physical servers, but this is on VMware, which requires bigger process for support and it is in progress. So we have valid RHEL subscription, but not sure, what patches we are supposed to apply on this, which can fix this issue.

There is no 'bigger process for support'...you buy a license, period. If your server had 16 Xeons or one i7...doesn't matter. You pay for RHEL 6.2 and GET RHEL 6.2. And if you have a valid RHEL subscription, we're back to "Call Red Hat support and ask". Doesn't get more simple than that.

Quote:

192.168.69.21 is IP address of my laptop from where I am trying to establish connection with putty. If I compare output of /var/log/secure from working (5.9) vs non-working (6.2) server, I can see below logs.
Working -

Code:

Sep 18 18:26:36 server02 sshd[3262]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.69.21  user=lucas
Sep 18 18:26:36 server02 sshd[3262]: Accepted password for lucas from 192.168.69.21 port 58300 ssh2
Sep 18 18:26:36 server02 sshd[3262]: pam_unix(sshd:session): session opened for user lucas by (uid=0)
Sep 18 18:26:48 server02 sshd[3262]: pam_unix(sshd:session): session closed for user lucas

Non-working -

Code:

Sep 18 11:05:41 server01 sshd[2142]: reverse mapping checking getaddrinfo for msag-w1.mosetp.com [192.168.69.21] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 18 11:05:45 server01 unix_chkpwd[2145]: password check failed for user (lucas)
Sep 18 11:05:45 server01 sshd[2142]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.69.21  user=lucas
Sep 18 11:05:46 server01 sshd[2142]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.69.21 user=lucas
Sep 18 11:05:46 server01 sshd[2142]: pam_sss(sshd:auth): received for user lucas: 10 (User not known to the underlying authentication module)
Sep 18 11:05:47 server01 sshd[2142]: Failed password for lucas from 192.168.69.21 port 52972 ssh2
Sep 18 11:05:51 server01 sshd[2143]: Received disconnect from 192.168.69.21: 13: Unable to authenticate

/etc/resolv.conf, /etc/nsswitch.conf and /etc/hosts are having similar entries in both servers. I don't see that reverse mapping and unix_chkpwd error in working logs.

Right...so we're back to "the new server can't look up the name. And we're back (AGAIN) to "Call Red Hat support and use the support you claim to be paying for":
https://access.redhat.com/solutions/83933

abhisheks77 · 09-18-2017, 02:56 PM

I made an entry "UseDNS yes" in sssd_config and then "reverse mapping" error was gone. But still unix_chkpwd is complaining.

Code:

Sep 18 12:27:01 server01 unix_chkpwd[2384]: password check failed for user (lucas)
Sep 18 12:27:01 server01 sshd[2381]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.69.21  user=lucas
Sep 18 12:27:01 server01 sshd[2381]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.69.21 user=lucas
Sep 18 12:27:01 server01 sshd[2381]: pam_sss(sshd:auth): received for user lucas: 10 (User not known to the underlying authentication module)
Sep 18 12:27:04 server01 sshd[2381]: Failed password for lucas from 192.168.69.21 port 58301 ssh2
Sep 18 12:27:09 server01 sshd[2382]: Connection closed by 192.168.69.21

I will check with management, for support process.

TB0ne · 09-18-2017, 03:15 PM

Quote:

Originally Posted by abhisheks77

I made an entry "UseDNS yes" in sssd_config and then "reverse mapping" error was gone. But still unix_chkpwd is complaining.

Code:

Sep 18 12:27:01 server01 unix_chkpwd[2384]: password check failed for user (lucas)
Sep 18 12:27:01 server01 sshd[2381]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.69.21  user=lucas
Sep 18 12:27:01 server01 sshd[2381]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.69.21 user=lucas
Sep 18 12:27:01 server01 sshd[2381]: pam_sss(sshd:auth): received for user lucas: 10 (User not known to the underlying authentication module)
Sep 18 12:27:04 server01 sshd[2381]: Failed password for lucas from 192.168.69.21 port 58301 ssh2
Sep 18 12:27:09 server01 sshd[2382]: Connection closed by 192.168.69.21

I will check with management, for support process.

Read the "Question Guidelines"...looking up the error in the Red Hat knowledgebase yields:
https://bugzilla.redhat.com/show_bug.cgi?id=818642

....a NOTED, FIXED bug report for this for (amazingly) RHEL6. Which you don't have...since you claim to both have support and not have support, and haven't applied any of the fixes (because either you can or can't, not really clear), you should have when building the server.