[prev in list] [next in list] [prev in thread] [next in thread]
List: sssd-users
Subject: =?utf-8?q?=5BSSSD-users=5D?= Authentication failure on CentOS Stream 8
From: Alan Orth <alan.orth () gmail ! com>
Date: 2022-05-19 12:24:49
Message-ID: CAKKdN4Uv5YEwYhx8zTvLr0hx6=3seGV322LEOkGg7bCgESvDGg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Dear list,
I am using SSSD 2.6.2 on CentOS Stream 8 to authenticate against a 389
directory server over LDAP. Both `getent` and `id` are working, as is
key-based SSH. Anything requiring a password doesn't work: like ssh and
sudo. The 389 directory server is running on CentOS 7 and other CentOS 7
clients can authenticate and sudo just fine (they were set up with
authconfig).
Here is an excerpt from /var/log/secure while trying to SSH with a password
and sudo after logging in with an SSH key:
May 19 14:49:16 server05 sshd[79520]: Connection from x.x.x.x port 58272 on
x.x.x.x port 22
May 19 14:49:19 server05 sshd[79520]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=myuser
May 19 14:49:21 server05 sshd[79520]: Failed password for myuser from
x.x.x.x port 58272 ssh2
May 19 14:53:00 server05 sudo[122435]: pam_unix(sudo:auth): authentication
failure; logname=myuser uid=751 euid=0 tty=/dev/pts/4 ruser=myuser rhost=
user=myuser
May 19 14:53:05 server05 sudo[122435]: pam_unix(sudo:auth): conversation
failed
May 19 14:53:05 server05 sudo[122435]: pam_unix(sudo:auth): auth could not
identify password for [myuser]
May 19 14:53:07 server05 sudo[122435]: myuser : 1 incorrect password
attempt ; TTY=pts/4 ; PWD=/home/myuser ; USER=root ; COMMAND=/bin/su -
I have followed the SSSD troubleshooting guide ¹ and it seems there is
something wrong with pam_sss, but I can't figure it out. I used `authselect
select sssd` to configure PAM and have not modified any settings. The
configuration seems to be valid:
# authselect check
Current configuration is valid.
And here is the auth part of the PAM system-auth stack:
# grep '^auth' /etc/pam.d/system-auth
auth required pam_env.so
auth required pam_faildelay.so
delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so
isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so
isregular
auth sufficient pam_sss.so
forward_pass
auth required pam_deny.so
Enabling `debug_level = 6` for sssd, domain/default, nss, and pam has not
helped me find anything out of place.
Does anyone have an idea of what to look for in the logs, or what else I
can try?
Thank you,
¹ https://sssd.io/troubleshooting/basics.html
--
Alan Orth
alan.orth@gmail.com
https://picturingjordan.com
https://englishbulgaria.net
https://mjanja.ch
[Attachment #5 (text/html)]
<div dir="ltr"><div>Dear list,</div><div><br></div><div>I am using SSSD 2.6.2 on \
CentOS Stream 8 to authenticate against a 389 directory server over LDAP. Both
`getent` and `id` are working, as is key-based SSH. Anything requiring a
password doesn't work: like ssh and sudo. The 389 directory server is
running on CentOS 7 and other CentOS 7 clients can authenticate and sudo
just fine (they were set up with authconfig).<br></div><div><br></div><div>Here is \
an excerpt from /var/log/secure while trying to SSH with a password and sudo after \
logging in with an SSH key:</div><div><br></div><div>May 19 14:49:16 server05 \
sshd[79520]: Connection from x.x.x.x port 58272 on x.x.x.x port 22<br>May 19 \
14:49:19 server05 sshd[79520]: pam_unix(sshd:auth): authentication failure; logname= \
uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=myuser<br>May 19 14:49:21 server05 \
sshd[79520]: Failed password for myuser from x.x.x.x port 58272 ssh2<br>May 19 \
14:53:00 server05 sudo[122435]: pam_unix(sudo:auth): authentication failure; \
logname=myuser uid=751 euid=0 tty=/dev/pts/4 ruser=myuser rhost= \
user=myuser<br>May 19 14:53:05 server05 sudo[122435]: pam_unix(sudo:auth): \
conversation failed<br>May 19 14:53:05 server05 sudo[122435]: pam_unix(sudo:auth): \
auth could not identify password for [myuser]<br>May 19 14:53:07 server05 \
sudo[122435]: myuser : 1 incorrect password attempt ; TTY=pts/4 ; \
PWD=/home/myuser ; USER=root ; COMMAND=/bin/su -</div><div><br></div><div>I have \
followed the SSSD troubleshooting guide ¹ and it seems there is something wrong with \
pam_sss, but I can't figure it out. I used `authselect select sssd` to configure \
PAM and have not modified any settings. The configuration seems to be \
valid:</div><div><br></div><div># authselect check<br>Current configuration is \
valid.</div><div><br></div><div>And here is the auth part of the PAM system-auth \
stack:</div><div><br></div><div># grep '^auth' /etc/pam.d/system-auth \
<br>auth required \
pam_env.so<br>auth required \
pam_faildelay.so delay=2000000<br>auth [default=1 ignore=ignore \
success=ok] pam_usertype.so isregular<br>auth [default=1 \
ignore=ignore success=ok] pam_localuser.so<br>auth sufficient \
pam_unix.so nullok<br>auth [default=1 ignore=ignore success=ok] \
pam_usertype.so isregular<br>auth sufficient \
pam_sss.so forward_pass<br>auth required \
pam_deny.so</div><div><br></div><div>Enabling `debug_level = 6` for sssd, \
domain/default, nss, and pam has not helped me find anything out of \
place.<br></div><div><br></div><div>Does anyone have an idea of what to look for in \
the logs, or what else I can try?</div><div><br></div><div>Thank \
you,<br></div><div><br></div><div> ¹ <a \
href="https://sssd.io/troubleshooting/basics.html" \
target="_blank">https://sssd.io/troubleshooting/basics.html</a></div>-- <br><div \
dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div \
dir="ltr"><div>Alan Orth<br><a href="mailto:alan.orth@gmail.com" \
target="_blank">alan.orth@gmail.com</a><br><a href="https://picturingjordan.com" \
target="_blank">https://picturingjordan.com</a><br><a \
href="https://englishbulgaria.net" \
target="_blank">https://englishbulgaria.net</a><br><a href="https://mjanja.ch" \
target="_blank">https://mjanja.ch</a></div></div></div></div>
[Attachment #6 (text/plain)]
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic