|
sshd with sssd help needed
I hope that this is the correct forum to post this question.
I've configured sssd for ldap/kerberos authentication on an RHEL6 machine. This is working fine when a user authenticates to tty but when attempting to authenticate through ssh I just get an "Access Denied." However, local accounts can login and authenticate through ssh. Also, getent passwd account name returns the proper values from the ldap server. I believe that the issue is when the sshd calls PAM for authentication but can't seem to find where the breakdown is occurring? And yes, I did make sure that /etc/ssh/sshd_config has UsePAM set to yes. I've looked through all the logs and don't see anything obvious. Has anyone seen this or does anyone have any suggestions on where to look? Thank you in advance. -Aaron |
ssh -vvvv to be very verbose should give you more information
|
There aren't any restrictions on who can log in in the configuration is there? If you disable local account authentication and only have PAM can you log in then with an LDAP account.
|
Thanks for the reply scheidel21.
There aren't any restrictions on who can log in that I'm aware of through sshd... where would I check other than the /etc/ssh/sshd.conf file? If I disable local authentication I can still log in to the console with the LDAP users but can't log in through SSH. @thegeek Thanks for the reply... I've tried connecting with ssh -vvvvv and there isn't anything obvious shown. The LDAP look up seems to occur and find the account but the password comes back as incorrect and access is denied. -Aaron |
Is the LDAP authentication for Active Directory in a Windows environment?
|
There are a couple things you should check. The first would be to examine /var/log/secure for activity while attempting to log in via SSH to an LDAP user. This will tell you if you're getting denied by pam_sss.so (or if pam_sss.so is returning an internal error).
If you're getting a denial or error from pam_sss.so, you probably want to turn on debug logging in /etc/sssd/sssd.conf by setting 'debug_level = 6' in the [domain/<domainname>] section. This will log to /var/log/sssd/sssd_<domainname>.log. Check this output for any problems (you can turn the debug level up to as high as 9, but it gets noisy). Also, when you said logging into tty works, did you mean that literally, or did you mean GDM? If the latter, you may need to check whether /etc/pam.d/system-auth AND /etc/pam.d/password-auth mentions pam_sss.so. If this doesn't help, or your look at the logs turns up an issue, please subscribe to https://fedorahosted.org/mailman/listinfo/sssd-devel and ask for help there. -- Stephen Gallagher Lead Developer, System Security Services Daemon |
Thanks for the replies.
Yes, the backend LDAP server is a Windows AD server. I had looked through all of the /var/log/secure entries and /var/log/sssd entries, but did find anything useful in there to indicate where the issue was. The issue ended up being that I was unaware RHEL6 doesn't only use /etc/pam.d/system-auth-ac but also /etc/pam.d/password-auth-ac for the ssh connection. Once I added the pam_sss.so entries into password-auth-ac the authentication worked both on the console and also remotely through SSH. This thread can be closed. Thanks, Aaron |
Hi Aaron,Stephen
I am facing the same issue. But I cant get any output on the getent command. I have my ldap searches working fine. Followed all steps in the Red Hat ref arch guide regarding SSSD/Kerberos/LDAP setup. This is the entry in the var/log/secure : Code:
Nov 15 23:31:38 ip-10-0-5-51 sshd[12410]: Invalid user test_user from 10.0.5.51Can anybody help getting a valid ouptut on the getent command ? |
| All times are GMT -5. The time now is 08:02 AM. |