Reputation: 57
I have recently installed and setup sssd, pam and ldap on a host for connectivity to a LDAP server. however it is failing. here is a snippet from the SSSD logs:
(Wed Feb 20 15:07:35 2019) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Wed Feb 20 15:07:35 2019) [sssd[be[default]]] [be_resolve_server_process] (0x0200): Found address for server host01.myserver.com: [10.22.34.167] TTL 3600
(Wed Feb 20 15:07:35 2019) [sssd[be[default]]] [fo_set_port_status] (0x0100): Marking port 10636 of server 'host01.myserver.com' as 'working'
(Wed Feb 20 15:07:35 2019) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'host01.myserver.com' as 'working'
(Wed Feb 20 15:07:35 2019) [sssd[be[default]]] [simple_bind_send] (0x0100): Executing simple bind as: cn=John Fields,ou=people,ou=Users,o=hun Ltd,dc=nuy,dc=comp,dc=com
(Wed Feb 20 15:07:35 2019) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 7, ) [Success]
(Wed Feb 20 15:07:35 2019) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sending result [7][default]
(Wed Feb 20 15:07:35 2019) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sent result [7][default]
(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=re457]
(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [be_pam_handler] (0x0100): Got request with the following data
(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [pam_print_data] (0x0100): domain: default
(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [pam_print_data] (0x0100): user: re457
(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [pam_print_data] (0x0100): service: sshd
(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [pam_print_data] (0x0100): tty: ssh
(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [pam_print_data] (0x0100): ruser:
(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [pam_print_data] (0x0100): rhost: 10.66.67.90
(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [pam_print_data] (0x0100): authtok type: 1
and auth.log:
20 17:03:50 mint-virtual-machine nscd: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
Feb 20 17:03:50 mint-virtual-machine nscd: nss_ldap: failed to bind to LDAP server ldapi:///host01.myserver.com:10636: Can't contact LDAP server
Feb 20 17:03:50 mint-virtual-machine nscd: nss_ldap: could not search LDAP server - Server is unavailable
Feb 20 17:03:50 mint-virtual-machine sshd[27120]: Invalid user re457 from 10...*
Feb 20 17:03:50 mint-virtual-machine sshd[27120]: input_userauth_request: invalid user re457 [preauth]
Feb 20 17:03:53 mint-virtual-machine sshd[27120]: pam_unix(sshd:auth): check pass; user unknown
Feb 20 17:03:53 mint-virtual-machine sshd[27120]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10...*
Feb 20 17:03:53 mint-virtual-machine sshd[27120]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10...* user=re457
Feb 20 17:03:53 mint-virtual-machine sshd[27120]: pam_sss(sshd:auth): received for user re457: 7 (Authentication failure) Feb 20 17:03:53 mint-virtual-machine sshd[27120]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory)
Feb 20 17:03:53 mint-virtual-machine sshd[27120]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Feb 20 17:03:53 mint-virtual-machine sshd[27120]: pam_ldap: reconnecting to LDAP server...
Feb 20 17:03:53 mint-virtual-machine sshd[27120]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Feb 20 17:03:55 mint-virtual-machine sshd[27120]: Failed password for invalid user re457 from 10...* port 60318 ssh2
Feb 20 17:05:00 mint-virtual-machine nscd: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
Upvotes: 0
Views: 852
Reputation: 39
ldapi:///host01.myserver.com:10636
ldapi scheme is used only for UNIX domain socket. You need to use ldap:// or ldaps:// scheme. In particular case you use pam_sss, sssd needs encrypted connection LDAPS.
Upvotes: 0