[SOLVED] problems with ldap logins

inelken · 05-25-2011, 09:21 AM

I have a small network with 12 machines, all served by a single server running the 389-ds. In one client machine, I don't see ldap users.
I run Fedora 14 (updated as of today). I used authconfig for configuration, using LDAP and TLS for user authentication. ldapsearch returns values correctly, but getent passwd doesn't return ldap users (only local users). Local logins are fine. On the server, I can see messages going to and from the problematic machine.

When I try to ssh to an ldap user (tnevo), I get in /var/log/secure:
May 25 16:35:12 poetry sshd[9474]: Invalid user tnevo from ::1
May 25 16:35:12 poetry sshd[9475]: input_userauth_request: invalid user tnevo
May 25 16:35:42 poetry sshd[9474]: pam_unix(sshd:auth): check pass; user unknown
May 25 16:35:42 poetry sshd[9474]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=poetry.ls.huji.ac.il
May 25 16:35:42 poetry sshd[9474]: pam_succeed_if(sshd:auth): error retrieving information about user tnevo
May 25 16:35:43 poetry sshd[9474]: Failed password for invalid user tnevo from ::1 port 48132 ssh2
May 25 16:35:45 poetry sshd[9475]: Connection closed by ::1

/etc/nsswitch.conf (I added manually the ldap to the passwd/shadow/group entries, didn't help):
passwd: files ldap sss
shadow: files ldap sss
group: files ldap sss

hosts: files dns

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: files sss

publickey: nisplus

automount: files ldap
aliases: files nisplus

/etc/ldap.conf:
base dc=nelkenlab
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pul se
uri ldap://astronomy.ls.huji.ac.il
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5

/etc/openldap/ldap.conf:
URI ldap://astronomy.ls.huji.ac.il
BASE dc=nelkenlab
TLS_CACERT /etc/openldap/cacerts/cacert.asc
TLS REQCERT allow

TLS_CACERTDIR /etc/openldap/cacerts

/etc/pam.d/system_auth:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

kbp · 05-26-2011, 10:09 PM

Have you compared /etc/nsswitch.conf against a working client ?

inelken · 05-26-2011, 11:36 PM

It's identical, except for the ldap that I added to the passwd/groups/shadow lines. Didn't work with or without the ldap.

inelken · 05-27-2011, 01:24 AM

Yet another bit of information:
I set the /etc/nsswitch.conf file back to its authconfig - configured form, using
passwd files sss
and so on.
I ran on a 'good' client and on the problematic client
strace getent passwd tnevo
(tnevo is an ldap username)
There are slight differences between the two, but here is what may be the relevant output:

Good machine:
.
.(it access /etc/nsswitch.conf, looks at /etc/passwd and presumably fails to find tnevo, and then)
.
open("/lib/libnss_sss.so.2", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\n\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=14588, ...}) = 0
mmap2(NULL, 17324, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xeb4000
mmap2(0xeb8000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3) = 0xeb8000
close(3) = 0
munmap(0xb78c1000, 99473) = 0
getpid() = 27587
socket(PF_FILE, SOCK_STREAM, 0) = 3
fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
fcntl64(3, F_GETFD) = 0
fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
connect(3, {sa_family=AF_FILE, path="/var/lib/sss/pipes/nss"}, 110) = 0
poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}])
write(3, "\24\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0", 16) = 16
poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}])
write(3, "\1\0\0\0", 4) = 4
poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\24\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0", 16) = 16
poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\1\0\0\0", 4) = 4
poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}])
write(3, "\26\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", 16) = 16
poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}])
write(3, "tnevo\0", 6) = 6
poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "P\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", 16) = 16
poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\1\0\0\0\0\0\0\0t\4\0\0\24\0\0\0tnevo\0*\0Nevo Taa"..., 64) = 64
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 3), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb78d9000
write(1, "tnevo:*:1140:20:Nevo Taaseh:/usr"..., 56tnevo:*:1140:20:Nevo Taaseh:/usr/people/tnevo:/bin/tcsh
) = 56

bad machine:
.
.
.
open("/lib/libnss_sss.so.2", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260\v\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=18184, ...}) = 0
mmap2(NULL, 16992, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xa5f000
mmap2(0xa63000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4) = 0xa63000
close(3) = 0
munmap(0xb788c000, 67928) = 0
getpid() = 15475
fstat64(-1, 0xbf8eabb8) = -1 EBADF (Bad file descriptor) ///Can this be the problem ???///
socket(PF_FILE, SOCK_STREAM, 0) = 3
fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
fcntl64(3, F_GETFD) = 0
fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
connect(3, {sa_family=AF_FILE, path="/var/lib/sss/pipes/nss"}, 110) = 0
fstat64(3, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}])
write(3, "\24\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0", 16) = 16
poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}])
write(3, "\1\0\0\0", 4) = 4
poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\24\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0", 16) = 16
poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\1\0\0\0", 4) = 4
poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}])
write(3, "\26\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", 16) = 16
poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}])
write(3, "tnevo\0", 6) = 6
poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\30\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", 16) = 16
poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\0\0\0\0\0\0\0\0", 8) = 8

inelken · 05-27-2011, 03:03 AM

Solved!
Traced to a faulty /etc/sssd/sssd.conf file.