#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel umask=022
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
On Thursday, January 10, 2013, Doug Tucker wrote:
There wasn't an attachment?
Sincerely,
Doug Tucker
On 01/09/2013 06:03 PM, Chandan Kumar wrote:
I am no expert in LDAP, I have attached my system-auth file. It may help you as it is working with my 389 server.
For SSSD setup http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html could help you.
Thanks
Chandan
On Wednesday, January 9, 2013, Doug Tucker wrote:
I still can't seem to figure out how to import my groups to 389
from openldap, but the users transferred fine. However moving
forward, I created a group manually in 389 and added my username
to the group. Now from my client, if I do: id tuckerd, i get the
results I'm looking for:
# id tuckerd
uid=4011(tuckerd) gid=500(seasadm) groups=500(seasadm)
However, attempts to log in at the console with tuckerd it fails
authentication. On this clients in secure.log I get this:
Jan 9 13:06:18 asteriskvm sshd[4546]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=172.16.76.1 user=tuckerd
Jan 9 13:06:18 asteriskvm sshd[4546]: pam_sss(sshd:auth):
received for user tuckerd: 4 (System error)
Jan 9 13:06:19 asteriskvm sshd[4546]: Failed password for tuckerd
from 172.16.76.1 port 57093 ssh2
Jan 9 13:06:33 asteriskvm sshd[4546]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=172.16.76.1 user=tuckerd
Jan 9 13:06:33 asteriskvm sshd[4546]: pam_sss(sshd:auth):
received for user tuckerd: 9 (Authentication service cannot
retrieve authentication info)
Jan 9 13:06:35 asteriskvm sshd[4546]: Failed password for tuckerd
from 172.16.76.1 port 57093 ssh2
Jan 9 13:06:36 asteriskvm sshd[4547]: Connection closed by
172.16.76.1
Jan 9 13:06:36 asteriskvm sshd[4546]: PAM 1 more authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.76.1
user=tuckerd
I have changed the password in 389 for tuckerd and am confident it
is being typed correctly.
[09/Jan/2013:13:10:48 -0600] conn=2458 fd=64 slot=64 connection
from 129.119.103.59 to 129.119.113.231
[09/Jan/2013:13:10:48 -0600] conn=2458 op=0 SRCH base="" scope=0
filter="(objectClass=*)" attrs="* altServer namingContexts
supportedControl supportedExtension supportedFeatures
supportedLDAPVersion supportedSASLMechanisms defaultnamingcontext
lastusn highestcommittedusn aci"
[09/Jan/2013:13:10:48 -0600] conn=2458 op=0 RESULT err=0 tag=101
nentries=1 etime=0
[09/Jan/2013:13:10:48 -0600] conn=2458 op=1 BIND dn="" method=128
version=3
[09/Jan/2013:13:10:48 -0600] conn=2458 op=1 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[09/Jan/2013:13:10:48 -0600] conn=2458 op=2 SRCH
base="dc=engr,dc=smu,dc=edu" scope=2
filter="(&(uid=tuckerd)(objectClass=posixAccount))"
attrs="objectClass uid userPassword uidNumber gidNumber gecos
homeDirectory loginShell krbprincipalname cn modifyTimestamp
modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning
shadowInactive shadowExpire shadowFlag krblastpwdchange
krbpasswordexpiration pwdAttribute authorizedService
accountexpires useraccountcontrol nsAccountLock host logindisabled
loginexpirationtime loginallowedtimemap"
[09/Jan/2013:13:10:48 -0600] conn=2458 op=2 RESULT err=0 tag=101
nentries=1 etime=0
[09/Jan/2013:13:10:48 -0600] conn=2458 op=3 SRCH
base="dc=engr,dc=smu,dc=edu" scope=2
filter="(&(memberUid=tuckerd)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"
attrs="objectClass cn userPassword gidNumber memberUid
modifyTimestamp modifyTimestamp"
[09/Jan/2013:13:10:48 -0600] conn=2458 op=3 RESULT err=0 tag=101
nentries=1 etime=0 notes=U,P
[09/Jan/2013:13:10:48 -0600] conn=2459 fd=65 slot=65 connection
from 129.119.103.59 to 129.119.113.231
[09/Jan/2013:13:10:48 -0600] conn=2459 op=0 EXT
oid="1.3.6.1.4.1.1466.20037"
[09/Jan/2013:13:10:48 -0600] conn=2459 op=0 RESULT err=2 tag=120
nentries=0 etime=0
[09/Jan/2013:13:10:48 -0600] conn=2459 op=-1 fd=65 closed error 34
(Numerical result out of range) - B2
Which has to be the most cryptic error logging I've ever seen :).
Can anyone help me make
--
--
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
