Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
SSSD does not allow this. Unlike pam_ldap, SSSD will always refuse to broadcast users' passwords. If there is no encryption available on the communication, we throw an error instead of exposing your users.
Does it mean that if I use SSSD, the pam_ldap will be unavailable? What's the relationship between pam and SSSD?
Does it mean that if I use SSSD, the pam_ldap will be unavailable? What's the relationship between pam and SSSD?
SSSD provides pam_sss.so, which replaces pam_ldap.so in your PAM stack. This provides SSSD's interface to the authentication services. They are not strictly mutually-exclusive, but it's highly recommended not to try to run them at the same time.
The SSSD essentially rolls the functionality of nss-pam-ldapd, pam_ldap and pam_krb5 into a single package (with multiple pieces).*
* Not all pieces are 100% compatible yet, but the vast majority of common cases are fully supported.
I have sssd setup against my AD servers for authentication and it's working but I'm seeing some very strange behavior when logging in. The SSH connection is made quickly and I'm prompted for my password. After entering the password the connection seems to hang and while that's happening this is what I see in /var/log/secure. Why is pam_unix failing and then pam_sss succeeding? I've looked and /etc/pam.d/system-auth and it looks like what I would expect. Does anyone have any ideas?
Code:
Feb 2 07:44:35 server01 sshd[30324]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.5.61 user=testuser
Feb 2 07:44:36 server01 sshd[30324]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.5.61 user=testuser
Feb 2 07:44:36 server01 sshd[30324]: Accepted password for testuser from 10.1.5.61 port 61269 ssh2
Feb 2 07:44:36 server01 sshd[30324]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Last edited by master_bitbucket; 02-02-2012 at 07:09 AM.
Reason: fixed code tag
It's expected that pam_unix should fail. The user isn't maintained by pam_unix (as in, they're not a local user). This is expected behavior. The PAM stack first tries to see if the user is local and authenticates them against /etc/shadow. If that fails, it moves on to trying to use SSSD. There is no issue there.
The hang in ssh on the other hand is a bit more concerning. It looks like maybe SSSD isn't responding to the pam_session_open() request properly for you. Can you paste your /etc/pam.d/password-auth file for me to look at? (sshd uses password-auth, NOT system-auth).
Nothing out of the ordinary there. Does logging in at a local terminal work properly? If so, it's possible that something is wrong with your SSH daemon and not with SSSD.
It does in fact look like a problem with SSH as one issue, but I think there is still an issue with SSSD.
This morning I've been building a new VM template based on CentOS 6.2 and I was following the Fedora SSSD configuration guide. I took my working sssd.conf and used the /etc/pam.d/system-auth file from the guide. I started everything up and it was working. However, I couldn't ssh to the host as a user in my configured SSSD domain (ldap). The handoff to sssd wasn't happening. I'm a little confused as to why this is. It seems like the configuration detailed in the guide should include everything that needs to be changed.
Code:
Feb 21 08:26:24 localhost sshd[2289]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 21 08:29:31 localhost sshd[2289]: Received disconnect from 10.1.5.61: 11: disconnected by user
Feb 21 08:29:31 localhost sshd[2289]: pam_unix(sshd:session): session closed for user root
Feb 21 08:29:47 localhost sshd[2350]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.5.61 user=testuser
Feb 21 08:29:50 localhost sshd[2350]: Failed password for testuser from 10.1.5.61 port 64875 ssh2
Feb 21 08:29:55 localhost sshd[2350]: Failed password for testuser from 10.1.5.61 port 64875 ssh2
Feb 21 08:30:16 localhost sshd[1439]: Received signal 15; terminating.
I changed the /etc/pam.d/sshd configuration to the following and I can now login successfully but the login delay is there.
Code:
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
This is changed from the system default which is
Code:
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
What am I doing wrong in the PAM SSH config? Also, I see two distinct periods of hanging in the SSSD log for my domain. I turned the debug level up to 5 and was watching when I performed a login. The attached file has the details. Notice right away there is a pause.
Well, first of all I would recommend on CentOS 6.2 that you use authconfig to set up SSSD (it handles most of the tricky bits of setting up password-auth, system-auth and nsswitch.conf for you.
You can run it from the command-line (see authconfig --help) or the graphical UI with authconfig --gtk
The nine-second gap there is a bit long, but during that period we're contacting LDAP and storing results. It may be that your LDAP server is taking a long time to respond. We need logs at level 6 or higher (preferably level 9, but that's VERY noisy) to get the details on why that's taking so long.
I ran authconfig and was able to keep my setup in place and put back the system provided /etc/pam.d/sshd and I can still login as remote users. However, the hang is still there during authentication. I have some mostly sanitized level 9 debug output from my connection attempt. Is there somewhere I can email you the log?
I ran authconfig and was able to keep my setup in place and put back the system provided /etc/pam.d/sshd and I can still login as remote users. However, the hang is still there during authentication. I have some mostly sanitized level 9 debug output from my connection attempt. Is there somewhere I can email you the log?
It might be best to open a bug at http://bugs.centos.org and attach the log to it (sanitized as necessary). Post the bug number here so I know where to look.
Hi all, dragging this back to the stone age of the original poster (and a few others in between)... I have been stuck with trying to get a somewhat modern version of Linux authenticate with our corporate Microsoft AD Server 2003 which is not set up to use TLS or anything. Yes, I had have a discussion with our IT guys and they are aware of the problem but claim that via routing, etc etc, it isn't a problem and unfortunately I am not in a position to establish corporate policy. But... I really do want to have a Linux box that I can log into that also can work with the device drivers I need to load (and since 99% of users here are MS, IT says linux isn't supported, so I need to solve this problem myself or give up and have to use Windows... grrr!)
I'm a long time Linux user but I have never set-up LDAP authentication before so it was a new thing for me. Much of what I did was gleaned from contributors to this thread but just wanted to put down in full what worked for me. Maybe it will help others in similar situations.
3) ldapsearch -h <mydomaincontroller> -D "CN=<mybinddn string>" -w <mybinddnpasswd> -b "dc=<mydomain>,dc=<mylocal>?sub" dn
I can see my ldap server! Yay! (No point doing anything messing with authentication until you can see your server).
4) run:
authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=<mydc1>,<mydc2> --ldapbasedn="dc=<mydomain>,dc=<mylocal>" --disableldaptls --disablesssd --disablesssdauth --enableforcelegacy --update
Not sure if all these parameters are necessary but I didn't have to edit /etc/sysconfig/authconfig by hand er anything. Note that running system-config-authentication is just scary or misleading because it will not let you set the above combination of choices.
5) edit /etc/pam_ldap.conf and /etc/nslcd.conf
pam_ldap.conf was changed to match what would work on Centos 5 with the same LDAP server.
nslcd.conf I uncommented all the Active Directory Mappings section and also added the
"binddn" and "bindpw" lines from pam_ldap.conf to the end of the file (this addition was important, without those lines, authentication wouldn't work).
6) authentication then worked! but creating home-dirs didn't. Rebooted and creating home-dirs started to work. But the first log in after a reboot was very slow and I was getting a lot of nslcd "Can't contact LDAP server: no such process" errors in /var/log/messages.
I figured that this might be that nslcd was started too early in the boot process and whatever services it was talking to weren't ready yet. Just as a hacky expedient I added "service nslcd restart" into rc.local and that worked! I didn't have the first slow first-log-in problem.
Now I appear to have LDAP authentication working on Centos 6.2 with an old and insecure no-tls AD server - which is great for me! I expect this will not work on other distros (Ubuntu, Fedora, etc).
When using Active Directory, it is a bad idea to use LDAP for authentication, in part because AD's implementation does not handle password-policy issues correctly (such as expired passwords in the grace period). It is much better instead to use Kerberos for authentication and password changes.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.