Followup, using SSSD for some reason breaks PAM pass through even
though pam_krb5 is performing auth. If I enable nslcd the pam_krb5
works. This error seems like the culprit:
Mar 11 18:12:30 ldap01 ns-slapd: pam_krb5[7318]: called to
authenticate 'treydock', realm 'DOMAIN.EDU'
Mar 11 18:12:30 ldap01 ns-slapd: pam_krb5[7318]: error resolving user
name 'treydock' to uid/gid pair
Mar 11 18:12:30 ldap01 ns-slapd: pam_krb5[7318]: error getting
information about 'treydock'
Is there any way to further debug this? It seems if I turn off nslcd
that's when things break. Even setting all pam.d files to use pam_sss
and nsswitch.conf to use sss, only running nslcd makes things work.
Thanks
- Trey
On Tue, Mar 11, 2014 at 12:19 PM, Trey Dockendorf <treydock@xxxxxxxxx> wrote:
> I have one 389 DS server successfully using PAM Pass through that goes
> to a pam.d file that uses pam_krb5 for auth. I've setup a new system
> and am now unable to get the pass through to work.
>
> The second system is identical except it's updated to EL 6.5 while
> working system is EL 6.4. The second system that's not working is
> using SSSD instead of the PADL stack.
>
> When performing either ldapsearch using my account for bind, or
> performing SSH login to a client configured in SSSD with 389DS as the
> LDAP server, I get these errors in /var/log/dirsrv/slapd-ldap01/errors
>
> [11/Mar/2014:11:33:31 -0500] pam_passthru-plugin - Error from PAM
> during pam_authenticate (7: Authentication failure)
> [11/Mar/2014:11:33:31 -0500] pam_passthru-plugin - Invalid PAM
> password for user id [treydock], bind DN
> [uid=treydock,ou=people,dc=org,dc=domain,dc=edu]
>
> Then these are in /var/log/secure
>
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: default/local realm
> 'DOMAIN.EDU'
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: configured realm 'DOMAIN.EDU'
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: debug
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flags: forwardable
> not proxiable
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: no ignore_afs
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: no null_afs
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: cred_session
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: user_check
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: no krb4_convert
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: krb4_convert_524
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: krb4_use_as_req
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: will try previously
> set password first
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: will let libkrb5 ask questions
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: no use_shmem
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: no external
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: no multiple_ccaches
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: validate
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: flag: warn
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: ticket lifetime:
> 86400s (1d,0h,0m,0s)
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: renewable lifetime:
> 86400s (1d,0h,0m,0s)
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: minimum uid: 500
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: banner: Kerberos 5
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: ccache dir: /tmp
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: ccname template:
> FILE:%d/krb5cc_%U_XXXXXX
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: keytab: FILE:/etc/krb5.keytab
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: token strategy: v4,524,2b,rxk5
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: called to
> authenticate 'treydock', realm 'DOMAIN.EDU'
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: error resolving user
> name 'treydock' to uid/gid pair
> Mar 11 11:33:30 ldap01 ns-slapd: pam_krb5[32169]: error getting
> information about 'treydock'
> Mar 11 11:33:30 ldap01 ns-slapd: pam_unix(ldapserver:auth): check
> pass; user unknown
> Mar 11 11:33:30 ldap01 ns-slapd: pam_unix(ldapserver:auth):
> authentication failure; logname= uid=99 euid=99 tty= ruser= rhost=
>
> # cat /etc/krb5.conf
>
> [libdefaults]
> default_realm = DOMAIN.EDU
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1
> clockskew = 300
>
> [realms]
> DOMAIN.EDU = {
> kdc = kerberos-3.domain.edu:88
> kdc = kerberos-1.domain.edu:88
> kdc = kerberos-2.domain.edu:88
> admin_server = kerberos-master.domain.edu:749
> default_domain = domain.edu
> }
>
> [domain_realm]
> domain.edu = DOMAIN.EDU
> .domain.edu = DOMAIN.EDU
>
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> krb4_convert = false
> proxiable = false
> retain_after_close = false
> minimum_uid = 500
> debug = true
> }
>
> # cat /etc/pam.d/ldapserver
> auth required pam_env.so
> auth sufficient pam_krb5.so use_first_pass debug
> auth sufficient pam_unix.so nullok try_first_pass
> auth required pam_deny.so
>
> account include password-auth
> password include password-auth
> session include password-auth
>
> # cat /etc/pam.d/password-auth
> #%PAM-1.0
> # Managed by puppet - do not modify!
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_sss.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3 type=
> password sufficient pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_sss.so
>
> # cat /etc/sssd/sssd.conf
> # Managed by puppet - do not modify
> [sssd]
> config_file_version = 2
> debug_level = 0x02F0
> reconnection_retries = 3
> sbus_timeout = 30
> services = nss,pam,sudo
> domains = LDAP
>
> [nss]
> debug_level = 0x02F0
> reconnection_retries = 3
> filter_groups = root,wheel
> filter_users = root
>
> [pam]
> debug_level = 0x02F0
> reconnection_retries = 3
> offline_credentials_expiration = 0
>
>
> [sudo]
>
>
> [domain/LDAP]
> debug_level = 0x02F0
> cache_credentials = TRUE
> entry_cache_timeout = 6000
> enumerate = TRUE
>
> id_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
> access_provider = ldap
> sudo_provider = ldap
>
> ldap_uri = ldap://ldap01.org.domain.edu
> ldap_search_base = dc=org,dc=domain,dc=edu
> ldap_network_timeout = 3
> ldap_tls_reqcert = demand
> ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.internal.crt
> ldap_schema = rfc2307bis
> ldap_id_use_start_tls = TRUE
> ldap_chpass_update_last_change = TRUE
> ldap_group_member = uniquemember
> ldap_group_object_class = posixGroup
> ldap_group_name = cn
> ldap_pwd_policy = none
> ldap_account_expire_policy = 389ds
> ldap_access_order = filter,expire
> ldap_access_filter = (objectclass=posixaccount)
> ldap_sudo_search_base = ou=sudoers,dc=org,dc=domain,dc=edu
>
> PAM pass through config:
>
> # PAM Pass Through Auth, plugins, config
> dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> objectClass: pamConfig
> cn: PAM Pass Through Auth
> nsslapd-pluginPath: libpam-passthru-plugin
> nsslapd-pluginInitfunc: pam_passthruauth_init
> nsslapd-pluginType: preoperation
> nsslapd-pluginEnabled: on
> nsslapd-pluginloadglobal: true
> nsslapd-plugin-depends-on-type: database
> pamMissingSuffix: ALLOW
> pamExcludeSuffix: cn=config
> pamIDMapMethod: ENTRY
> pamIDAttr: tamuEduPersonNetID
> pamFallback: TRUE
> pamSecure: TRUE
> pamService: ldapserver
> nsslapd-pluginId: pam_passthruauth
> nsslapd-pluginVersion: 1.2.11.15
> nsslapd-pluginVendor: 389 Project
> nsslapd-pluginDescription: PAM pass through authentication plugin
> pamIncludeSuffix: ou=People,dc=org,dc=domain,dc=edu
> pamFilter: (&(objectClass=tamuPerson)(tamuEduPersonNetID=*))
>
> tamuPerson and tamuEduPersonNetID schema additions (from
> /etc/dirsrv/slapd-ldap01/schema/99user.ldif):
>
> objectclasses: ( 1.3.6.1.4.1.4391.1.0 NAME 'tamuPerson' DESC '' SUP
> top STRUCTURAL MAY tamuEduPersonNetID X-ORIGIN 'user defined' )
> attributetypes: ( 1.3.6.1.4.1.4391.0.13 NAME 'tamuEduPersonNetID' DESC
> 'NetID (login username)' EQUALITY caseIgnoreIA5Match SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE X-ORIGIN 'user
> defined' )
>
> My account:
>
> # treydock, People, org.domain.edu
> dn: uid=treydock,ou=People,dc=org,dc=domain,dc=edu
> uid: treydock
> gidNumber: 999
> mail: treydock@xxxxxxxxxx
> sn: Dockendorf
> cn: Trey Dockendorf
> givenName: Trey
> tamuEduPersonNetID: treydock
> loginShell: /bin/bash
> homeDirectory: /home/treydock
> objectClass: inetOrgPerson
> objectClass: inetuser
> objectClass: organizationalPerson
> objectClass: person
> objectClass: posixAccount
> objectClass: tamuPerson
> objectClass: top
> uidNumber: 1380
>
> Thanks
> - Trey
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
