[ale] ldap/nss/sssd login problems

Chuck Payne terrorpup at gmail.com
Tue Jun 25 12:05:57 EDT 2013 

Scott,

Your best going to post this on the forum and join the openSUSE maillist.

Pup

On Tue, Jun 25, 2013 at 11:39 AM, Scott Plante <splante at insightsys.com> wrote:
> Well, I guess I found the problem. man sssd-ldap says:
>
>        LDAP back end supports id, auth, access and chpass providers. If you
> want to authenticate against an LDAP server either TLS/SSL or LDAPS is
> required.  sssd does not support authentication over an unencrypted channel.
> If the LDAP server is used only as an identity provider, an encrypted
> channel is not needed.
>
>
> I'd been meaning to upgrade our LDAP--I suppose now I have the impetus to do
> it.
>
> Scott
>
> ________________________________
> From: "Scott Plante" <splante at insightsys.com>
> To: ale at ale.org
> Sent: Monday, June 24, 2013 12:21:36 PM
> Subject: [ale] ldap/nss/sssd login problems
>
>
> I just installed OpenSUSE 12.3 on my development machine. We had been using
> 11.3 and we authenticate via LDAP. I used YaST to set up the LDAP
> authentication settings. 12.3 uses the newish sssd which either wasn't
> available or at least we weren't using on 11.3.
>
> It is communicating with LDAP: I can see existing users, I can type these
> commands successfully:
> guinness:/etc # id splante
> uid=20008(splante) gid=20000 groups=20000
> guinness:/etc # su - splante
> splante at guinness:~> pwd
> /home/splante
>
> However, if I "su" again as non-root where it needs to check the password,
> it fails. The splante user does not exist in /etc/passwd so the id command
> is definitely seeing ldap. I believe I have TLS/SSL turned off in the LDAP
> config, but I see this in /var/log/messages
> 2013-06-24T12:07:33.671426-04:00 guinness sssd[be[default]]: Could not start
> TLS encryption. unsupported extended operation
> 2013-06-24T12:07:33.671640-04:00 guinness su: pam_sss(su:auth):
> authentication failure; logname=root uid=20008 euid=0 tty=pts/2
> ruser=splante rhost= user=splante
> 2013-06-24T12:07:33.671990-04:00 guinness su: pam_sss(su:auth): received for
> user splante: 9 (Authentication service cannot retrieve authentication info)
> 2013-06-24T12:07:35.438192-04:00 guinness su: FAILED SU (to splante) root on
> /dev/pts/2
> 2013-06-24T12:07:38.439086-04:00 guinness su: pam_unix(su:session): session
> closed for user splante
> 2013-06-24T12:08:47.096406-04:00 guinness login: pam_unix(login:auth):
> authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
> user=splante
> 2013-06-24T12:08:47.268434-04:00 guinness sssd[be[default]]: Could not start
> TLS encryption. unsupported extended operation
> 2013-06-24T12:08:47.268693-04:00 guinness login: pam_sss(login:auth):
> authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
> user=splante
> 2013-06-24T12:08:47.269044-04:00 guinness login: pam_sss(login:auth):
> received for user splante: 9 (Authentication service cannot retrieve
> authentication info)
> 2013-06-24T12:08:49.190951-04:00 guinness login: FAILED LOGIN 1 FROM tty1
> FOR splante, Authentication service cannot retrieve authentication info
>
> My ldap.conf, less comments and blanks, looks like this:
> guinness:/etc # grep -v "^#" /etc/ldap.conf|grep -v "^$"
> base    ou=People,dc=insightsys,dc=com
> uri     ldap://ldap.isint
> rootbinddn      cn=manager,dc=insightsys,dc=com
> scope   sub
> bind_policy     soft
> pam_lookup_policy       yes
> pam_password    md5
> nss_initgroups_ignoreusers      root,ldap
> nss_schema      rfc2307bis
> nss_base_passwd ou=People,dc=insightsys,dc=com
> nss_base_shadow ou=People,dc=insightsys,dc=com
> nss_base_group  ou=Group,dc=insightsys,dc=com
> nss_map_attribute       uniqueMember member
> ssl     no
> ldap_version    3
> pam_filter      objectClass=posixAccount
> tls_checkpeer   no
>
> And sssd.conf:
> guinness:/etc # grep -v "^#" /etc/sssd/sssd.conf|grep -v "^$"|grep -v "^;"
> [sssd]
> config_file_version = 2
> services = nss,pam
> domains = default
> [nss]
> filter_groups = root
> filter_users = root
> [pam]
> [domain/default]
> ldap_uri = ldap://ldap.isint
> ldap_search_base = ou=People,dc=insightsys,dc=com
> ldap_schema = rfc2307
> id_provider = ldap
> ldap_user_uuid = entryuuid
> ldap_group_uuid = entryuuid
> ldap_id_use_start_tls = False
> ldap_tls_reqcert = never
> enumerate = True
> cache_credentials = False
> chpass_provider = ldap
> auth_provider = ldap
>
> And nsswitch.conf:
> guinness:/etc # grep -v "^#" /etc/nsswitch.conf|grep -v "^$"
> passwd: compat sss
> group:  files sss
> hosts:  files mdns4_minimal [NOTFOUND=return] dns
> networks:       files dns
> services:       files
> protocols:      files
> rpc:    files
> ethers: files
> netmasks:       files
> netgroup:       files
> publickey:      files
> bootparams:     files
> automount:      files nis
> aliases:        files
>
> Any ideas?
>
> Thanks,
> Scott
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



--
Terror PUP a.k.a
Chuck "PUP" Payne

(678) 636-9678
-----------------------------------------
Discover it! Enjoy it! Share it! openSUSE Linux.
-----------------------------------------
openSUSE -- en.opensuse.org/User:Terrorpup
openSUSE Ambassador/openSUSE Member/Local Coorintor
Community Manager -- Southeast Linux Foundation (SELF)
skype,twiiter,identica,friendfeed -- terrorpup
freenode(irc) --terrorpup/lupinstein
Register Linux Userid: 155363

Have you tried SUSE Studio? Need to create a Live CD,  an app you want
to package and distribute , or create your own linux distro. Give SUSE
Studio a try. www.susestudio.com.
See you at Southeast Linux Fest, June 7-9, 2013 in Charlotte, NC.
www.southeastlinuxfest.org

More information about the Ale mailing list