ldap+sssd: login with RSA keys succeeds, but with UNIX password fails

nsp · 08-27-2014, 03:47 AM

Sorry for my English.

1. The ldap server I am using was established by my colleagues. There are several ldap clients (using nslcd) that work well.

2. I am building a new workstation with CentOS7. sssd is used rather than nslcd. I used

Code:

authconfig-tui

to config ldap, with the same options as other clients'. (without TLS)

3. ssh login with RSA keys works well, but with UNIX password fails. /var/log/secure says:

Code:

Aug 27 16:31:13 boron sshd[14034]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.100.231  user=zhaoj
Aug 27 16:31:13 boron sshd[14034]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "zhaoj"
Aug 27 16:31:15 boron sshd[14034]: Failed password for zhaoj from 172.16.100.231 port 50852 ssh2
Aug 27 16:31:18 boron sshd[14034]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "zhaoj"
Aug 27 16:31:21 boron sshd[14034]: Failed password for zhaoj from 172.16.100.231 port 50852 ssh2
Aug 27 16:31:23 boron sshd[14034]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "zhaoj"
Aug 27 16:31:25 boron sshd[14034]: Failed password for zhaoj from 172.16.100.231 port 50852 ssh2
Aug 27 16:31:25 boron sshd[14034]: Connection closed by 172.16.100.231 [preauth]
Aug 27 16:31:25 boron sshd[14034]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.100.231  user=zhaoj

I logged in with RSA keys, and then tried

Code:

sudo ls

I was told that password was wrong:

Code:

sudo: 3 incorrect password attempts

/var/log/secure says:

Code:

Aug 27 16:29:04 boron sudo: pam_sss(sudo:auth): authentication failure; logname=zhaoj uid=523 euid=0 tty=/dev/pts/0 ruser=zhaoj rhost= user=zhaoj
Aug 27 16:29:04 boron sudo: pam_sss(sudo:auth): received for user zhaoj: 6 (Permission denied)

4. It looks like that I forgot my password. But that's not the case.

Is it the problem of my configuration of ldap, sssd, or pam?

Any hints, suggestions, clues will be welcomed.

Thank you for reading.

======= New 2014.08.28 06:15:53 UTC ==================
I tested "ldapsearch" which needs ldap administrator's password and it worked. Can I say that my ldap configuration is correct?

If it is, so should I concentrate on sssd or pam?

sundialsvcs · 08-27-2014, 07:57 AM

I think it told you plainly:

Quote:

pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "zhaoj"

It didn't "succeed_if." Therefore, it failed with the standard error-message for password failure.

But, FYI, in any case, you don't want to use passwords anyhow. You always want to use certificates and to exclude the possibility of using passwords.

nsp · 08-27-2014, 08:28 PM

Quote:

Originally Posted by sundialsvcs

I think it told you plainly:

It didn't "succeed_if." Therefore, it failed with the standard error-message for password failure.

But, FYI, in any case, you don't want to use passwords anyhow. You always want to use certificates and to exclude the possibility of using passwords.

Thank you, Sundialsvcs.

1. I guess it isn't the problem of "uid >=1000". Because of two things:
1.1 Once I changed 1000 to 500 in file /etc/pam.d/*-auth and restarted sssd, and then the message line of "uid" disappeared, but the line of "Failed password " was still there.
1.2 I googled this, and another guy said "uid >=1000" was just a warning message.
But still, I am not quite sure about this.

2. Sometimes people need "sudo", which needs passwords.

Any other clues?