Issues with PAM Pass Through and pam_krb5 with sssd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have one 389 DS server successfully using PAM Pass through that goes
to a pam.d file that uses pam_krb5 for auth.  I've setup a new system
and am now unable to get the pass through to work.

The second system is identical except it's updated to EL 6.5 while
working system is EL 6.4.  The second system that's not working is
using SSSD instead of the PADL stack.

When performing either ldapsearch using my account for bind, or
performing SSH login to a client configured in SSSD with 389DS as the
LDAP server, I get these errors in /var/log/dirsrv/slapd-ldap01/errors

[11/Mar/2014:11:33:31 -0500] pam_passthru-plugin - Error from PAM
during pam_authenticate (7: Authentication failure)
[11/Mar/2014:11:33:31 -0500] pam_passthru-plugin - Invalid PAM
password for user id [treydock], bind DN
[uid=treydock,ou=people,dc=org,dc=domain,dc=edu]

Then these are in /var/log/secure

Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: default/local realm
'DOMAIN.EDU'
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: configured realm 'DOMAIN.EDU'
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: debug
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flags: forwardable
not proxiable
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: no ignore_afs
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: no null_afs
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: cred_session
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: user_check
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: no krb4_convert
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: krb4_convert_524
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: krb4_use_as_req
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: will try previously
set password first
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: will let libkrb5 ask questions
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: no use_shmem
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: no external
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: no multiple_ccaches
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: validate
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: warn
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: ticket lifetime:
86400s (1d,0h,0m,0s)
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: renewable lifetime:
86400s (1d,0h,0m,0s)
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: minimum uid: 500
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: banner: Kerberos 5
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: ccache dir: /tmp
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: ccname template:
FILE:%d/krb5cc_%U_XXXXXX
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: keytab: FILE:/etc/krb5.keytab
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: token strategy: v4,524,2b,rxk5
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: called to
authenticate 'treydock', realm 'DOMAIN.EDU'
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: error resolving user
name 'treydock' to uid/gid pair
Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: error getting
information about 'treydock'
Mar 11 11:33:30 ldap01 ns-slapd: pam_unix(ldapserver:auth): check
pass; user unknown
Mar 11 11:33:30 ldap01 ns-slapd: pam_unix(ldapserver:auth):
authentication failure; logname= uid=99 euid=99 tty= ruser= rhost=

# cat /etc/krb5.conf

[libdefaults]
  default_realm = DOMAIN.EDU
  default_tkt_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1
  default_tgs_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1
  clockskew = 300

[realms]
DOMAIN.EDU = {
  kdc = kerberos-3.domain.edu:88
  kdc = kerberos-1.domain.edu:88
  kdc = kerberos-2.domain.edu:88
  admin_server = kerberos-master.domain.edu:749
  default_domain = domain.edu
}

[domain_realm]
  domain.edu = DOMAIN.EDU
  .domain.edu = DOMAIN.EDU

[appdefaults]
pam = {
  ticket_lifetime = 1d
  renew_lifetime = 1d
  forwardable = true
  krb4_convert = false
  proxiable = false
  retain_after_close = false
  minimum_uid = 500
  debug = true
}

# cat /etc/pam.d/ldapserver
auth        required      pam_env.so
auth        sufficient    pam_krb5.so use_first_pass debug
auth        sufficient    pam_unix.so nullok try_first_pass
auth        required      pam_deny.so

account    include      password-auth
password   include      password-auth
session    include      password-auth

# cat /etc/pam.d/password-auth
#%PAM-1.0
# Managed by puppet - do not modify!
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

# cat /etc/sssd/sssd.conf
# Managed by puppet - do not modify
[sssd]
config_file_version = 2
debug_level = 0x02F0
reconnection_retries = 3
sbus_timeout = 30
services = nss,pam,sudo
domains = LDAP

[nss]
debug_level = 0x02F0
reconnection_retries = 3
filter_groups = root,wheel
filter_users = root

[pam]
debug_level = 0x02F0
reconnection_retries = 3
offline_credentials_expiration = 0


[sudo]


[domain/LDAP]
debug_level = 0x02F0
cache_credentials = TRUE
entry_cache_timeout = 6000
enumerate = TRUE

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap

ldap_uri = ldap://ldap01.org.domain.edu
ldap_search_base = dc=org,dc=domain,dc=edu
ldap_network_timeout = 3
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.internal.crt
ldap_schema = rfc2307bis
ldap_id_use_start_tls = TRUE
ldap_chpass_update_last_change = TRUE
ldap_group_member = uniquemember
ldap_group_object_class = posixGroup
ldap_group_name = cn
ldap_pwd_policy = none
ldap_account_expire_policy = 389ds
ldap_access_order = filter,expire
ldap_access_filter = (objectclass=posixaccount)
ldap_sudo_search_base = ou=sudoers,dc=org,dc=domain,dc=edu

PAM pass through config:

# PAM Pass Through Auth, plugins, config
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: pamConfig
cn: PAM Pass Through Auth
nsslapd-pluginPath: libpam-passthru-plugin
nsslapd-pluginInitfunc: pam_passthruauth_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginloadglobal: true
nsslapd-plugin-depends-on-type: database
pamMissingSuffix: ALLOW
pamExcludeSuffix: cn=config
pamIDMapMethod: ENTRY
pamIDAttr: tamuEduPersonNetID
pamFallback: TRUE
pamSecure: TRUE
pamService: ldapserver
nsslapd-pluginId: pam_passthruauth
nsslapd-pluginVersion: 1.2.11.15
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: PAM pass through authentication plugin
pamIncludeSuffix: ou=People,dc=org,dc=domain,dc=edu
pamFilter: (&(objectClass=tamuPerson)(tamuEduPersonNetID=*))

tamuPerson and tamuEduPersonNetID schema additions (from
/etc/dirsrv/slapd-ldap01/schema/99user.ldif):

objectclasses: ( 1.3.6.1.4.1.4391.1.0 NAME 'tamuPerson' DESC '' SUP
top STRUCTURAL MAY tamuEduPersonNetID X-ORIGIN 'user defined' )
attributetypes: ( 1.3.6.1.4.1.4391.0.13 NAME 'tamuEduPersonNetID' DESC
'NetID (login username)' EQUALITY caseIgnoreIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE X-ORIGIN 'user
defined' )

My account:

# treydock, People, org.domain.edu
dn: uid=treydock,ou=People,dc=org,dc=domain,dc=edu
uid: treydock
gidNumber: 999
mail: treydock@xxxxxxxxxx
sn: Dockendorf
cn: Trey Dockendorf
givenName: Trey
tamuEduPersonNetID: treydock
loginShell: /bin/bash
homeDirectory: /home/treydock
objectClass: inetOrgPerson
objectClass: inetuser
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: tamuPerson
objectClass: top
uidNumber: 1380

Thanks
- Trey
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux