0

we have Active Directory authentication with SSSD on a CENTOS 7.5

Starting from today users are unable to log in. When they try, they get:

/usr/bin/id: cannot find name for group ID xxxxxxxxxx

I looked into /var/log/secure:

pam_sss(crond:session): Request to sssd failed. Public socket has wrong ownership or permissions.

Here's sssd.conf:

domains = xxxxxxxxx
config_file_version = 2
services = nss, pam

[domain/xxxxxxxx]
ad_domain = xxxxxxxx
krb5_realm = XXXXXXXXXX
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
#use_fully_qualified_names = True
use_fully_qualified_names = False
#fallback_homedir = /home/%u@%d
fallback_homedir = /home/%u
access_provider = ad

On another machine, with exactly the same configuration, everything works.

No changes at all, lately.

Thanks for your help.

S4rg0n
  • 13
  • 5
  • So what are the ownership and permissions? – Michael Hampton Mar 11 '21 at 19:15
  • Thank you @MichaelHampton. Of what precisely? – S4rg0n Mar 12 '21 at 07:40
  • The error message says that pam is trying to connect to sssd via its public socket. Try something like `systemctl cat sssd-pam.socket` to find out where that is on your system. – Michael Hampton Mar 12 '21 at 07:44
  • Why have you posted that listing? What relevance does it have to anything? – Michael Hampton Mar 12 '21 at 08:34
  • These are my findings: [root@xxxxxxx ~]# systemctl cat sssd-pam.socket # /usr/lib/systemd/system/sssd-pam.socket [root@xxxxxxx ~]# ll /usr/lib/systemd/system/sssd-pam.socket -rw-r--r--. 1 root root 391 Sep 26 2018 /usr/lib/systemd/system/sssd-pam.socket – S4rg0n Mar 12 '21 at 08:56
  • You are supposed to _read_ the file, not do directory listings of the file. – Michael Hampton Mar 12 '21 at 19:50
  • Sorry, I'm trying to format the code with triple backticks but it doesn't work... ``` [root@gmdeoim19 ~]# cat /usr/lib/systemd/system/sssd-pam.socket [Unit] Description=SSSD PAM Service responder socket Documentation=man:sssd.conf(5) After=sssd.service BindsTo=sssd.service BindsTo=sssd-pam-priv.socket DefaultDependencies=no Conflicts=shutdown.target [Socket] ExecStartPre=/usr/libexec/sssd/sssd_check_socket_activated_responders -r pam ListenStream=/var/lib/sss/pipes/pam SocketUser=root SocketGroup=root [Install] WantedBy=sssd.service ``` – S4rg0n Mar 15 '21 at 08:00
  • You aren't supposed to paste it in a comment either. Again you are supposed to _read_ it to find the socket path. It's right there. – Michael Hampton Mar 15 '21 at 16:21

1 Answers1

0

The issue has been solved.

The problem was, as stated by the error, a permission problem for the file:

srw-rw-r--+ 1 root root 0 Jun  1 14:30 pam

Fixed it by setting permissions to 0666:

chmod 0666 /var/log/secure
mforsetti
  • 2,488
  • 2
  • 14
  • 20
S4rg0n
  • 13
  • 5