rehna
rehna

Reputation: 57

Log in unsuccessful SSSD PAM LDAP

I have recently installed and setup sssd, pam and ldap on a host for connectivity to a LDAP server. however it is failing. here is a snippet from the SSSD logs:

(Wed Feb 20 15:07:35 2019) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'

(Wed Feb 20 15:07:35 2019) [sssd[be[default]]] [be_resolve_server_process] (0x0200): Found address for server host01.myserver.com: [10.22.34.167] TTL 3600

(Wed Feb 20 15:07:35 2019) [sssd[be[default]]] [fo_set_port_status] (0x0100): Marking port 10636 of server 'host01.myserver.com' as 'working'

(Wed Feb 20 15:07:35 2019) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'host01.myserver.com' as 'working'

(Wed Feb 20 15:07:35 2019) [sssd[be[default]]] [simple_bind_send] (0x0100): Executing simple bind as: cn=John Fields,ou=people,ou=Users,o=hun Ltd,dc=nuy,dc=comp,dc=com

(Wed Feb 20 15:07:35 2019) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 7, ) [Success]

(Wed Feb 20 15:07:35 2019) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sending result [7][default]

(Wed Feb 20 15:07:35 2019) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sent result [7][default]

(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=re457]

(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success

(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [be_pam_handler] (0x0100): Got request with the following data

(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE

(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [pam_print_data] (0x0100): domain: default

(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [pam_print_data] (0x0100): user: re457

(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [pam_print_data] (0x0100): service: sshd

(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [pam_print_data] (0x0100): tty: ssh

(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [pam_print_data] (0x0100): ruser:

(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [pam_print_data] (0x0100): rhost: 10.66.67.90

(Wed Feb 20 15:11:18 2019) [sssd[be[default]]] [pam_print_data] (0x0100): authtok type: 1

and auth.log:

20 17:03:50 mint-virtual-machine nscd: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server

Feb 20 17:03:50 mint-virtual-machine nscd: nss_ldap: failed to bind to LDAP server ldapi:///host01.myserver.com:10636: Can't contact LDAP server

Feb 20 17:03:50 mint-virtual-machine nscd: nss_ldap: could not search LDAP server - Server is unavailable

Feb 20 17:03:50 mint-virtual-machine sshd[27120]: Invalid user re457 from 10...*

Feb 20 17:03:50 mint-virtual-machine sshd[27120]: input_userauth_request: invalid user re457 [preauth]

Feb 20 17:03:53 mint-virtual-machine sshd[27120]: pam_unix(sshd:auth): check pass; user unknown

Feb 20 17:03:53 mint-virtual-machine sshd[27120]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10...*

Feb 20 17:03:53 mint-virtual-machine sshd[27120]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10...* user=re457

Feb 20 17:03:53 mint-virtual-machine sshd[27120]: pam_sss(sshd:auth): received for user re457: 7 (Authentication failure) Feb 20 17:03:53 mint-virtual-machine sshd[27120]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory)

Feb 20 17:03:53 mint-virtual-machine sshd[27120]: pam_ldap: ldap_simple_bind Can't contact LDAP server

Feb 20 17:03:53 mint-virtual-machine sshd[27120]: pam_ldap: reconnecting to LDAP server...

Feb 20 17:03:53 mint-virtual-machine sshd[27120]: pam_ldap: ldap_simple_bind Can't contact LDAP server

Feb 20 17:03:55 mint-virtual-machine sshd[27120]: Failed password for invalid user re457 from 10...* port 60318 ssh2

Feb 20 17:05:00 mint-virtual-machine nscd: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server

Upvotes: 0

Views: 852

Answers (1)

ryo.fastriver
ryo.fastriver

Reputation: 39

ldapi:///host01.myserver.com:10636

ldapi scheme is used only for UNIX domain socket. You need to use ldap:// or ldaps:// scheme. In particular case you use pam_sss, sssd needs encrypted connection LDAPS.

Upvotes: 0

Related Questions