SSSD Authentication
- by user24089
I just built a test server running OpenSuSE 12.1 and am trying to learn how configure sssd, but am not sure where to begin to look for why my config cannot allow me to authenticate.
server:/etc/sssd # cat sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss,pam
domains = test.local
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
# Section created by YaST
[domain/mose.cc]
access_provider = ldap
ldap_uri = ldap://server.test.local
ldap_search_base = dc=test,dc=local
ldap_schema = rfc2307bis
id_provider = ldap
ldap_user_uuid = entryuuid
ldap_group_uuid = entryuuid
ldap_id_use_start_tls = True
enumerate = False
cache_credentials = True
chpass_provider = krb5
auth_provider = krb5
krb5_realm = TEST.LOCAL
krb5_kdcip = server.test.local
server:/etc # cat ldap.conf
base dc=test,dc=local
bind_policy soft
pam_lookup_policy yes
pam_password exop
nss_initgroups_ignoreusers root,ldap
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
ssl start_tls
uri ldap://server.test.local
ldap_version 3
pam_filter objectClass=posixAccount
server:/etc # cat nsswitch.conf
passwd: compat sss
group: files sss
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files ldap
aliases: files
shadow: compat
server:/etc # cat krb5.conf
[libdefaults]
default_realm = TEST.LOCAL
clockskew = 300
[realms]
TEST.LOCAL = {
kdc = server.test.local
admin_server = server.test.local
database_module = ldap
default_domain = test.local
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[dbmodules]
ldap = {
db_library = kldap
ldap_kerberos_container_dn = cn=krbContainer,dc=test,dc=local
ldap_kdc_dn = cn=Administrator,dc=test,dc=local
ldap_kadmind_dn = cn=Administrator,dc=test,dc=local
ldap_service_password_file = /etc/openldap/ldap-pw
ldap_servers = ldaps://server.test.local
}
[domain_realm]
.test.local = TEST.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
clockskew = 300
external = sshd
use_shmem = sshd
}
If I log onto the server as root I can su into an ldap user, however if I try to console locally or ssh remotely I am unable to authenticate.
getent doesn't show the ldap entries for users, Im not sure if I need to look at LDAP, nsswitch, or what:
server:~ # ssh localhost -l test
Password:
Password:
Password:
Permission denied (publickey,keyboard-interactive).
server:~ # su test
test@server:/etc> id
uid=1000(test) gid=100(users) groups=100(users)
server:~ # tail /var/log/messages
Nov 24 09:36:44 server login[14508]: pam_sss(login:auth): system info: [Client not found in Kerberos database]
Nov 24 09:36:44 server login[14508]: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/ttyS1 ruser= rhost= user=test
Nov 24 09:36:44 server login[14508]: pam_sss(login:auth): received for user test: 4 (System error)
Nov 24 09:36:44 server login[14508]: FAILED LOGIN SESSION FROM /dev/ttyS1 FOR test, System error
server:~ # vi /etc/pam.d/common-auth
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_sss.so use_first_pass
server:~ # vi /etc/pam.d/sshd
auth requisite pam_nologin.so
auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so silent noupdate showfailed
