LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 09-17-2013, 12:34 AM   #1
kemistry
LQ Newbie
 
Registered: Oct 2012
Posts: 3

Rep: Reputation: Disabled
SSSD Configuration Problem


Hello All

Hope i am not repeating a problem here. I am currently trying to configure SSSD on RHEL 6.4 to connect to a AD server. Everything works fine as in i can authenticate against LDAP with my password over the secure port 636. As i would like to control the authorization onto the server, i have implemented this into the sssd.conf file and have gotten the group set up in AD

access_provider = ldap
ldap_access_filter = memberOf=cn=AuthUsers,ou= ......

When i try again, my user is denied access, as in fact everybody else.

pam_sss(sshd:account) access denied for user

In the logs i can see that the user is actually authenticating fine, but it is getting "access denied" errors in the /var/log/secure file ..

I have many questions but just want to know has anyone else found this issue ? I am pretty confident that the configuration file is fine but just wondering if there is a known bug/work around for this before i actually loose the plot with this :-P

K
 
Old 09-17-2013, 06:02 PM   #2
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,978
Blog Entries: 1

Rep: Reputation: 209Reputation: 209Reputation: 209
What are the "access denied" entries in the /var/log/secure file say specifically?

--C
 
Old 09-19-2013, 03:40 PM   #3
kemistry
LQ Newbie
 
Registered: Oct 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
Sorry for the delay on this .. I have been away and didnt have access to the exact logs

Here is some more info on the log's and set up... Output from /var/log/secure

Sep 20 07:51:32 hp2654 sshd[12853]: Connection closed by 146.x.x.x
Sep 20 07:51:42 hp2654 sshd[12860]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ldaphost.com user=rob
Sep 20 07:51:42 hp2654 sshd[12860]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=ldaphost.com user=rob
Sep 20 07:51:42 hp2654 sshd[12860]: pam_sss(sshd:account): Access denied for user rob: 6 (Permission denied)
Sep 20 07:51:42 hp2654 sshd[12860]: pam_tally2(sshd:account): unknown option: reset
Sep 20 07:51:42 hp2654 sshd[12860]: Failed password for rob from 146.x.x.x port 5xxx ssh2
Sep 20 07:51:42 hp2654 sshd[12863]: fatal: Access denied for user rob by PAM account configuration


PAM configuration for sssd.

[root@ldaphost pam.d]# grep sss *
fingerprint-auth:account [default=bad success=ok user_unknown=ignore] pam_sss.so
fingerprint-auth:session optional pam_sss.so
fingerprint-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_sss.so
fingerprint-auth-ac:session optional pam_sss.so
password-auth:auth sufficient pam_sss.so use_first_pass
password-auth:account [default=bad success=ok user_unknown=ignore] pam_sss.so
password-authassword sufficient pam_sss.so use_authtok
password-auth:session optional pam_sss.so
password-auth-ac:auth sufficient pam_sss.so use_first_pass
password-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_sss.so
password-auth-acassword sufficient pam_sss.so use_authtok
password-auth-ac:session optional pam_sss.so
smartcard-auth:account [default=bad success=ok user_unknown=ignore] pam_sss.so
smartcard-auth:session optional pam_sss.so
smartcard-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_sss.so
smartcard-auth-ac:session optional pam_sss.so
system-auth:auth sufficient pam_sss.so use_first_pass
system-auth:account [default=bad success=ok user_unknown=ignore] pam_sss.so
system-authassword sufficient pam_sss.so use_authtok
system-auth:session optional pam_sss.so
system-auth-ac:auth sufficient pam_sss.so use_first_pass
system-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_sss.so
system-auth-acassword sufficient pam_sss.so use_authtok
system-auth-ac:session optional pam_sss.so
[root@ldaphost pam.d]#



[root@ldaphost pam.d]# grep sss /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
services: files sss
netgroup: files sss
[root@ldaphost pam.d]#

And finally, this is my full sssd.conf

[domain/default]
ldap_search_base = ou=Internal,ou=People,o=Identities
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldapserver.com:636
ldap_tls_cacertdir = /etc/openldap/cacerts
access_provider = ldap
ldap_access_filter = memberOf=cn=ldaphost,ou=Hosts,ou=UnixLDAP,ou=Applications,o=Identities
ldap_default_bind_dn = cn=AuthRHEL,ou=ServiceAccounts,ou=Admin,o=Identities
ldap_default_authtok_type = password
ldap_default_authtok = telecom1

[sssd]
services = nss, pam
config_file_version = 2

domains = default
[nss]

[pam]

debug_level = 7

[sudo]

[autofs]

[ssh]

[pac]



From the above messages, it is authenticating against the ldap server (fails locally). The problem seems to be around the access filter to restrict which users can connect. At the moment, every user is denied.

Please let me know if anyone seems anything here or i am missing something

K
 
Old 09-19-2013, 07:54 PM   #4
kemistry
LQ Newbie
 
Registered: Oct 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
UPDATE :

I have found by commenting out the below in the /etc/pam.d/password-auth, the authorization now works and my user is allowed in ..

password-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_sss.so

Obviously there is something still up here .. any suggestions ? The sss module is tripping somewhere but i cant see where :-(
 
Old 09-18-2016, 08:23 PM   #5
dlin938
LQ Newbie
 
Registered: Sep 2016
Posts: 2

Rep: Reputation: Disabled
Quote:
Originally Posted by kemistry View Post
UPDATE :

I have found by commenting out the below in the /etc/pam.d/password-auth, the authorization now works and my user is allowed in ..

password-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_sss.so

Obviously there is something still up here .. any suggestions ? The sss module is tripping somewhere but i cant see where :-(
Hi, i am having the exactly the same issue on CentOS 6.8. Configured AD authentication by using SSSD + kerberos.

Did you find out why the line

account [default=bad success=ok user_unknown=ignore] pam_sss.so

is offending the SSH login?
 
Old 09-18-2016, 08:38 PM   #6
dlin938
LQ Newbie
 
Registered: Sep 2016
Posts: 2

Rep: Reputation: Disabled
Answer seems to be here:

http://thread.gmane.org/gmane.linux....sd.devel/14774

Quote:
For the others, my access provider is ldap and I didn't configured the
ldap_access_filter. If ldap_access_filter isn't configured and filter is in
the ldap_access_order (which is the default when it's not specified) all
users are denied access.

After having configured ldap_access_filter with a valid
memberOf=cn=authorizedUsersGroup, ou=... and added my users to this group
on the DC everything work as expected.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerberos/OpenLDAP/ActiveDirectory/sssd configuration problems EmrldDrgn Linux - General 1 12-11-2012 02:09 PM
getent not working with SSSD R09u3Bull Linux - Server 0 11-15-2012 12:42 AM
[SOLVED] SSSD and AD with RHEL 6 ZeroCleric Linux - Server 12 11-09-2012 03:43 PM
SSSD fails on compile igor012 Gentoo 3 11-04-2012 04:31 AM
[SOLVED] Problems setting up SSSD trekgirl Linux - Server 10 03-15-2012 03:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 04:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration