Help setting up SSSD on RedHat 7 server for use with OpenLDAP & vsftpd
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Help setting up SSSD on RedHat 7 server for use with OpenLDAP & vsftpd
First off, I'm new to SSSD, and still learning LDAP. Right now I'm attempting to set up a server so our users can authenticate in Filezilla to their OpenLDAP account using sssd on a RedHat 7 server. I'm getting errors, but not sure how to correct them. At first I was thinking that the error line "no uid provided for [dlemp] in domain [default] was the issue. It's weird though because above that in the log it clearly states that it's searching uid=dlemp.
I've been researching this off and on for a few days now, but I feel like I'm at a dead end. Anyone have any thoughts or suggestions on this? I'll post the errors and my sssd.conf file. If anyone wants to see any other files let me know. Thanks!
Code:
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=dlemp)(objectclass=inetOrgPerson)(&(cn=*)(!(cn=0))))][dc=CENSORED,dc=CENSORED].
Code:
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=dlemp,ou=People,dc=CENSORED,dc=CENSORED].
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uid]
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf]
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPassword]
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn]
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass]
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp]
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x7f254d509b70], connected[1], ops[0x7f254d59c030], ldap[0x7f254d506af0]
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_get_initgr_user] (0x4000): Storing the user
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_save_user] (0x0400): Save user
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success]
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_save_user] (0x4000): objectSID: not available for user
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_save_user] (0x0080): Failed to retrieve UUID [22][Invalid argument].
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_get_primary_name] (0x0400): Processing object dlemp
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_save_user] (0x0400): Processing user dlemp
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_save_user] (0x0020): no uid provided for [dlemp] in domain [default].
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_save_user] (0x0020): Failed to save user [dlemp]
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [ldb] (0x4000): cancel ldb transaction (nesting: 0)
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_id_op_done] (0x4000): releasing operation connection
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,22,Init group lookup failed
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x7f254d509b70], connected[1], ops[(nil)], ldap[0x7f254d506af0]
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
Forgot to mention, my ldapsearch command does complete successfully. So I'm not sure if it's a mapping issue between ldap/sssd/Filezilla, or what my issue is. Here's the ldapsearch command for reference...
Hi ostendali, thanks for the quick reply! Unfortunately I have been following that documentation pretty closely. It may not look like it from my current sssd.conf file, but I have been making tweaks, trying to get it to work. What other config files would you like to see?
Here's the error that's in my /var/log/secure log, it may lead to something:
Code:
Oct 14 13:40:02 localhost sshd[7437]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=CENSORED IP ADDRESS user=dlemp
Oct 14 13:40:02 localhost sshd[7437]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=CENSORED IP ADDRESS user=dlemp
Oct 14 13:40:02 localhost sshd[7437]: pam_sss(sshd:auth): received for user dlemp: 10 (User not known to the underlying authentication module)
Oct 14 13:40:04 localhost sshd[7437]: Failed password for dlemp from CENSORED IP ADDRESS port CENSORED ssh2
Oct 14 13:40:04 localhost sshd[7437]: Connection closed by CENSORED IP ADDRESS [preauth]
Hi ostendali, thanks for the quick reply! Unfortunately I have been following that documentation pretty closely. It may not look like it from my current sssd.conf file, but I have been making tweaks, trying to get it to work. What other config files would you like to see?
Here's the error that's in my /var/log/secure log, it may lead to something:
Code:
Oct 14 13:40:02 localhost sshd[7437]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=CENSORED IP ADDRESS user=dlemp
Oct 14 13:40:02 localhost sshd[7437]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=CENSORED IP ADDRESS user=dlemp
Oct 14 13:40:02 localhost sshd[7437]: pam_sss(sshd:auth): received for user dlemp: 10 (User not known to the underlying authentication module)
Oct 14 13:40:04 localhost sshd[7437]: Failed password for dlemp from CENSORED IP ADDRESS port CENSORED ssh2
Oct 14 13:40:04 localhost sshd[7437]: Connection closed by CENSORED IP ADDRESS [preauth]
yeah, I can see that the authentication fails with both sssd and pam_unix which means the auth system is not reading your configuration.
Can you post the content of your nsswitch.conf pls?
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files sss
shadow: files sss
group: files sss
#initgroups: files
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
I see your nsswitch is alright and configured correctly.
just a couple more details I need here.
can you provide:
1) default PAM config
2) /etc/openldap/ldap.conf
3) and last run "authconfig --test" to make sure your configuration is fine all over.
let's give it a try and see if we can locate the issue.
PS: I do have ldap/sssd configured on my systems and using them with no issue....
If I had to guess, I'd think it's something wonky with my sssd-ldap search filter. But I'm no expert, and it really could be anything. Here's the files you requested. Thanks!
1) default PAM config
Here's my pam.d/password-auth file, is that what you're looking for?
Code:
PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha256 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
2) /etc/openldap/ldap.conf
Code:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON off
URI ldaps://CENSORED/
BASE dc=CENSORED,dc=CENSORED
BINDDN cn=CENSORED,dc=CENSORED,dc=CENSORED
BINDPW CENSORED
nss_paged_results yes
3) and last run "authconfig --test" to make sure your configuration is fine all over.
Code:
[root@web ~]# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is enabled
LDAP+TLS is disabled
LDAP server = "ldaps://CENSORED/"
LDAP base DN = "dc=CENSORED,dc=CENSORED"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
Winbind template shell = "/bin/false"
SMB idmap range = "16777216-33554431"
nss_sss is enabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is sha256
pam_krb5 is disabled
krb5 realm = "CENSORED"
krb5 realm via dns is disabled
krb5 kdc = ""
krb5 kdc via dns is enabled
krb5 admin server = ""
pam_ldap is enabled
LDAP+TLS is disabled
LDAP server = "ldaps://CENSORED"
LDAP base DN = "dc=CENSORED,dc=CENSORED"
LDAP schema = "rfc2307bis"
pam_pkcs11 is disabled
use only smartcard for login is disabled
smartcard module = ""
smartcard removal action = ""
pam_fprintd is disabled
pam_ecryptfs is disabled
pam_winbind is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
pam_sss is enabled by default
credential caching in SSSD is disabled
SSSD use instead of legacy services if possible is enabled
IPAv2 is disabled
IPAv2 domain was not joined
IPAv2 server = ""
IPAv2 realm = ""
IPAv2 domain = ""
pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is disabled (umask=0077)
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
well roughly all looks good from what I could see/check...
the only thing I am not sure about it if given the ldap cacert directory will suffice as in my configuration I had to specify the ca.crt for ldap.conf and sssd.conf (or pem bundle whatever you have actually). But I am not that sure if this is the cause. Maybe try to give the cert file (without removing the cacert directive which is already in the conf files).
Furthermore, checking closer your logs, it looks like pam_sss can't find/lookup the user dlemp. The user lookup is usually fetched from nss_ldap module, means pam_sss doesn't perform a full getpwnam()/getpwuid() lookup through the whole NSS stack.
try to run "getent passwd -s sss dlemp"
Also I am assuming you have already set PAM to yes in sshd.conf file right?
From the log symptoms it doesn't look like selinux/iptables issue but it is worth to check them as well.
Plus, I see your NIS domain empty.
Last edited by ostendali; 10-20-2015 at 11:24 AM.
Reason: adding more stuff
I added TLSCertificateFile /etc/openldap/cacerts/SERVERNAME.pem to the ldap.conf file.
Also added ldap_tls_cacert = /etc/openldap/cacerts/SERVERNAME.pem to the sssd.conf file.
PAM is set to yes.
Not really sure what the NIS domain is or if I need to set it up.
Running the command "getent passwd -s sss dlemp" doesn't do anything. Hope that helps!
I added TLSCertificateFile /etc/openldap/cacerts/SERVERNAME.pem to the ldap.conf file.
Also added ldap_tls_cacert = /etc/openldap/cacerts/SERVERNAME.pem to the sssd.conf file.
PAM is set to yes.
Not really sure what the NIS domain is or if I need to set it up.
Running the command "getent passwd -s sss dlemp" doesn't do anything. Hope that helps!
then the problem is definitely isolated to my previous comment "Furthermore, checking closer your logs, it looks like pam_sss can't find/lookup the user dlemp. The user lookup is usually fetched from nss_ldap module, means pam_sss doesn't perform a full getpwnam()/getpwuid() lookup through the whole NSS stack."
NIS domain is the domain name you use for ldaps://example.com, so NIS should be example.com (replacing your domain of course).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
