-1

/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss,pam,sudo,ssh
domains = local,ldap
debug_level = 9
sbus_timeout = 2
reconnection_retries = 3

[nss]
#filter_groups = root
#filter_users = root
#enum_cache_timeout = 30

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[domain/local]
id_provider = local
auth_provider = local
access_provider = permit
debug_level = 9

[domain/ldap]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://10.24.83.198:10389/
ldap_search_base = ou=users,dc=sprint,dc=com
ldap_user_search_base = ou=users,dc=sprint,dc=com
ldap_sudo_search_base = ou=users,dc=sprint,dc=com
ldap_group_search_base = ou=users,dc=sprint,dc=com
ldap_tls_reqcert = never
#ldap_tls_reqcert = allow
#ldap_tls_cacertdir = /etc/cacerts

cache_credentials = false
ldap_schema = rfc2307bis
debug_level = 9
# Enumeration is discouraged for performance reasons.
enumerate = true
ldap_default_bind_dn = uid=admin,ou=system
ldap_default_authtok_type = password
ldap_default_authtok = secret
ldap_id_use_start_tls = false

grep -ri 'pam_sss.so' in /etc/pam.d/

[root@lab pam.d]# grep -ri 'pam_sss.so'
smartcard-auth-ac:account     [default=bad success=ok     user_unknown=ignore] pam_sss.so
smartcard-auth-ac:session     optional      pam_sss.so
password-auth-ac:auth        sufficient    pam_sss.so use_first_pass
password-auth-ac:account     [default=bad success=ok     user_unknown=ignore] pam_sss.so
password-auth-ac:password    sufficient    pam_sss.so use_authtok
password-auth-ac:session     optional      pam_sss.so
sshd:auth        sufficient    pam_sss.so
fingerprint-auth-ac:account     [default=bad success=ok     user_unknown=ignore] pam_sss.so
fingerprint-auth-ac:session     optional      pam_sss.so
system-auth-ac:auth        sufficient    pam_sss.so
system-auth-ac:account     [default=bad success=ok user_unknown=ignore]     pam_sss.so
system-auth-ac:password    sufficient    pam_sss.so use_authtok
system-auth-ac:session     optional      pam_sss.so
[root@lab pam.d]#

LDAP search result

[root@lab ~]# ldapsearch -H ldap://10.24.83.198:10389 -x -D "uid=admin,ou=system" -W -b "ou=users,dc=sprint,dc=com" -s one -a always -z 1000 "(objectClass=*)" "hasSubordinates" "objectClass"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=sprint,dc=com> with scope oneLevel
# filter: (objectClass=*)
# requesting: hasSubordinates objectClass 
#

# labusr52, users, sprint.com
dn: uid=labusr52,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: shadowAccount

# labusr50, users, sprint.com
dn: uid=labusr50,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: shadowAccount

# labusr50_pb, users, sprint.com
dn: uid=labusr50_pb,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: shadowAccount

# sssd_2, users, sprint.com
dn: uid=sssd_2,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson

# labusr50_root, users, sprint.com
dn: uid=labusr50_root,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: shadowAccount

# sssd_3, users, sprint.com
dn: uid=sssd_3,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson

# sssd_4, users, sprint.com
dn: uid=sssd_4,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson

# sssd_5, users, sprint.com
dn: uid=sssd_5,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson

# sssd_root, users, sprint.com
dn: uid=sssd_root,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson

# labusr50_cc, users, sprint.com
dn: uid=labusr50_cc,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: shadowAccount

# labusr51, users, sprint.com
dn: uid=labusr51,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: shadowAccount

# sssd_root_0, users, sprint.com
dn: uid=sssd_root_0,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson

# sssd_ldap_group_1, users, sprint.com
dn: uid=sssd_ldap_group_1,ou=users,dc=sprint,dc=com
objectClass: posixAccount
objectClass: top
objectClass: posixGroup

# search result
search: 2
result: 0 Success

# numResponses: 14
# numEntries: 13
[root@lab ~]#

Problem 1 : Not sure why 'getent passwd' is not returning root users

[root@lab ~]# getent passwd
labusr50_cc:*:500:500:Lab User50:/:/bin/bash
labusr50_pb:*:491:491:Lab User50:/:/bin/bash
labusr50:*:29990:29990:Lab User50:/home/labusr50:/bin/bash
labusr51:*:29991:29991:Lab User51:/home/labusr51:/bin/bash
labusr52:*:29992:29992:Lab User52:/home/labusr52:/bin/bash
sssd_2:*:2:3:cn_sssd_2:/:
sssd_3:*:3:3:cn_sssd_3:/:
sssd_4:*:4:4:cn_sssd_4:/:

Problem 2 : Even if 'id' and 'su' commands are working, pwauth is failing with below errors

[root@lab ~]# id sssd_5
uid=5(sync) gid=5(tty) groups=0(root)
[root@lab ~]# su - sssd_5
-sh-4.1$ ls
bin  boot  cgroup  dev  etc  home  lib  lib64  lost+found  media  mnt  opt  proc  qsb_config  root  run  sbin  selinux  srv  sys  tmp  usr  var
-sh-4.1$ pwd
/
-sh-4.1$ exit
logout
[root@lab ~]# pwauth
sssd_5
sprint123
[root@lab ~]# echo $?
1
[root@lab ~]#

[root@lab ~]# tailf /var/log/message

2017-06-24T19:32:25.823061+00:00 lab sssd[be[ldap]]: Could not start TLS encryption. TLS error -12156:The server certificate included a public key that was too weak.

[root@lab ~]# tailf /var/log/sssd/sssd_ldap.log

(Sat Jun 24 19:32:25 2017) [sssd[be[ldap]]] [sdap_connect_done] (0x0080): ldap_install_tls failed: [Connect error] [TLS error -12156:The server certificate included a public key that was too weak.]

Does above 2 errors imply that I must to use ldaps instead of ldap?

[root@lab ~]# tailf /var/log/secure

2017-06-24T19:32:25.824275+00:00 lab pwauth: pam_sss(pwauth:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost= user=sssd_5
2017-06-24T19:32:25.824312+00:00 lab pwauth: pam_sss(pwauth:auth): received for user sssd_5: 9 (Authentication service cannot retrieve authentication info)
2017-06-24T19:32:25.824769+00:00 lab pwauth: pam_unix(pwauth:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost=  user=sssd_5

[root@lab ~]# tailf /var/log/audit/audit.log

type=USER_AUTH msg=audit(1498332641.906:164744): user pid=20973 uid=0 auid=0 ses=26854 subj=kernel msg='op=PAM:authentication acct="sssd_5" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
type=USER_ACCT msg=audit(1498332641.906:164745): user pid=20973 uid=0 auid=0 ses=26854 subj=kernel msg='op=PAM:accounting acct="sssd_5" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
type=USER_ACCT msg=audit(1498332641.906:164745): user pid=20973 uid=0 auid=0 ses=26854 subj=kernel msg='op=PAM:accounting acct="sssd_5" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
type=USER_START msg=audit(1498332643.479:164746): user pid=20973 uid=0 auid=0 ses=26854 subj=kernel msg='op=PAM:session_open acct="sssd_5" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
type=CRED_ACQ msg=audit(1498332643.479:164747): user pid=20973 uid=0 auid=0 ses=26854 subj=kernel msg='op=PAM:setcred acct="sssd_5" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
type=CRED_DISP msg=audit(1498332666.596:164748): user pid=20973 uid=0 auid=0 ses=26854 subj=kernel msg='op=PAM:setcred acct="sssd_5" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
type=USER_END msg=audit(1498332668.366:164749): user pid=20973 uid=0 auid=0 ses=26854 subj=kernel msg='op=PAM:session_close acct="sssd_5" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
type=USER_AUTH msg=audit(1498332747.664:164750): user pid=21823 uid=0 auid=0 ses=26854 subj=kernel msg='op=PAM:authentication acct="sssd_5" exe="/usr/sbin/pwauth" hostname=? addr=? terminal=pts/0 res=failed'

I am very new in SSSD, LDAP so any pointers to above 2 problems will be a great help.

user421919
  • 1
  • 1
  • 1

1 Answers1

0

Fix problem 2 using ldaps and corresponding LDAP server certificate.

For problem 1, I tried adding filter_users = bin entry in [NSS] section but still root users (gid=uid=0) are getting filtered out by SSSD.

Thomas
  • 4,155
  • 5
  • 21
  • 28
Kedar
  • 11
  • 2
  • 1
    This is by design. root users do not belong to LDAP, they are inherently host-only, so SSSD filters them out. – jhrozek Jul 01 '17 at 19:37
  • @jhrozek, I am facing issue with `getent passwd`. I have 2 users in LDAP with same `gidNumber` and `uidNumber`. If I execute `getent passwd` command, I am getting only 1 user out of those 2. Interesting thing is, `id` and `pwauth` commands work successfully for both of these users. Do you have any suggestion about what might be going wrong with `getent passwd`? – Kedar Aug 21 '17 at 03:16
  • 1
    Duplicate IDs are not supported by SSSD, sorry. – jhrozek Aug 26 '17 at 19:30