'=?utf-8?q?=5BSSSD-users=5D?= Authentication failure on CentOS Stream 8'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sssd-users
Subject:    =?utf-8?q?=5BSSSD-users=5D?= Authentication failure on CentOS Stream 8
From:       Alan Orth <alan.orth () gmail ! com>
Date:       2022-05-19 12:24:49
Message-ID: CAKKdN4Uv5YEwYhx8zTvLr0hx6=3seGV322LEOkGg7bCgESvDGg () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Dear list,

I am using SSSD 2.6.2 on CentOS Stream 8 to authenticate against a 389
directory server over LDAP. Both `getent` and `id` are working, as is
key-based SSH. Anything requiring a password doesn't work: like ssh and
sudo. The 389 directory server is running on CentOS 7 and other CentOS 7
clients can authenticate and sudo just fine (they were set up with
authconfig).

Here is an excerpt from /var/log/secure while trying to SSH with a password
and sudo after logging in with an SSH key:

May 19 14:49:16 server05 sshd[79520]: Connection from x.x.x.x port 58272 on
x.x.x.x port 22
May 19 14:49:19 server05 sshd[79520]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=myuser
May 19 14:49:21 server05 sshd[79520]: Failed password for myuser from
x.x.x.x port 58272 ssh2
May 19 14:53:00 server05 sudo[122435]: pam_unix(sudo:auth): authentication
failure; logname=myuser uid=751 euid=0 tty=/dev/pts/4 ruser=myuser rhost=
 user=myuser
May 19 14:53:05 server05 sudo[122435]: pam_unix(sudo:auth): conversation
failed
May 19 14:53:05 server05 sudo[122435]: pam_unix(sudo:auth): auth could not
identify password for [myuser]
May 19 14:53:07 server05 sudo[122435]:   myuser : 1 incorrect password
attempt ; TTY=pts/4 ; PWD=/home/myuser ; USER=root ; COMMAND=/bin/su -

I have followed the SSSD troubleshooting guide š and it seems there is
something wrong with pam_sss, but I can't figure it out. I used `authselect
select sssd` to configure PAM and have not modified any settings. The
configuration seems to be valid:

# authselect check
Current configuration is valid.

And here is the auth part of the PAM system-auth stack:

# grep '^auth' /etc/pam.d/system-auth
auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so
delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so
isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so
isregular
auth        sufficient                                   pam_sss.so
forward_pass
auth        required                                     pam_deny.so

Enabling `debug_level = 6` for sssd, domain/default, nss, and pam has not
helped me find anything out of place.

Does anyone have an idea of what to look for in the logs, or what else I
can try?

Thank you,

 š https://sssd.io/troubleshooting/basics.html
-- 
Alan Orth
alan.orth@gmail.com
https://picturingjordan.com
https://englishbulgaria.net
https://mjanja.ch

[Attachment #5 (text/html)]

<div dir="ltr"><div>Dear list,</div><div><br></div><div>I am using SSSD 2.6.2 on \
CentOS  Stream 8 to authenticate against a 389 directory server over LDAP. Both
 `getent` and `id` are working, as is key-based SSH. Anything requiring a
 password doesn&#39;t work: like ssh and sudo. The 389 directory server is 
running on CentOS 7 and other CentOS 7 clients can authenticate and sudo
 just fine (they were set up with authconfig).<br></div><div><br></div><div>Here is \
an excerpt from /var/log/secure while trying to SSH with a password and sudo after \
logging in with an SSH key:</div><div><br></div><div>May 19 14:49:16 server05 \
sshd[79520]: Connection from x.x.x.x port 58272 on x.x.x.x port 22<br>May  19 \
14:49:19 server05 sshd[79520]: pam_unix(sshd:auth): authentication  failure; logname= \
uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x   user=myuser<br>May 19 14:49:21 server05 \
sshd[79520]: Failed password for myuser from x.x.x.x port 58272 ssh2<br>May  19 \
14:53:00 server05 sudo[122435]: pam_unix(sudo:auth): authentication  failure; \
logname=myuser uid=751 euid=0 tty=/dev/pts/4 ruser=myuser  rhost=   \
user=myuser<br>May 19 14:53:05 server05 sudo[122435]: pam_unix(sudo:auth): \
conversation failed<br>May 19 14:53:05 server05 sudo[122435]: pam_unix(sudo:auth): \
auth could not identify password for [myuser]<br>May  19 14:53:07 server05 \
sudo[122435]:    myuser : 1 incorrect password  attempt ; TTY=pts/4 ; \
PWD=/home/myuser ; USER=root ; COMMAND=/bin/su -</div><div><br></div><div>I  have \
followed the SSSD troubleshooting guide š and it seems there is  something wrong with \
pam_sss, but I can&#39;t figure it out. I used  `authselect select sssd` to configure \
PAM and have not modified any  settings. The configuration seems to be \
valid:</div><div><br></div><div># authselect check<br>Current configuration is \
valid.</div><div><br></div><div>And here is the auth part of the PAM system-auth \
stack:</div><div><br></div><div># grep &#39;^auth&#39; /etc/pam.d/system-auth \
<br>auth            required                                                       \
pam_env.so<br>auth            required                                                \
pam_faildelay.so delay=2000000<br>auth            [default=1 ignore=ignore \
success=ok]             pam_usertype.so isregular<br>auth            [default=1 \
ignore=ignore success=ok]             pam_localuser.so<br>auth            sufficient  \
pam_unix.so nullok<br>auth            [default=1 ignore=ignore success=ok]            \
pam_usertype.so isregular<br>auth            sufficient                               \
pam_sss.so forward_pass<br>auth            required                                   \
pam_deny.so</div><div><br></div><div>Enabling `debug_level = 6` for sssd, \
domain/default, nss, and pam has not helped me find anything out of \
place.<br></div><div><br></div><div>Does anyone have an idea of what to look for in \
the logs, or what else I can try?</div><div><br></div><div>Thank \
you,<br></div><div><br></div><div> š <a \
href="https://sssd.io/troubleshooting/basics.html" \
target="_blank">https://sssd.io/troubleshooting/basics.html</a></div>-- <br><div \
dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div \
dir="ltr"><div>Alan Orth<br><a href="mailto:alan.orth@gmail.com" \
target="_blank">alan.orth@gmail.com</a><br><a href="https://picturingjordan.com" \
target="_blank">https://picturingjordan.com</a><br><a \
href="https://englishbulgaria.net" \
target="_blank">https://englishbulgaria.net</a><br><a href="https://mjanja.ch" \
target="_blank">https://mjanja.ch</a></div></div></div></div>


[Attachment #6 (text/plain)]

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic