I am setting up an LDAP client in Red Hat 8.
After setting up the config files I did an LDAP user test and it came back successfully:
# id myusername
uid=666(myusername) gid=510(active_users) groups=510(active_users)
If I run an ldapsearch
it returns successfully with the expected results:
# ldapsearch -x -ZZ -h ldap.example.com -b dc=example,dc=com
But if I try to ssh
to the Red Hat 8 machine from another machine then I get this error:
# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
I have tried a couple of different machines with different user accounts and have gotten the same results.
Here is my setup:
/etc/sssd/sssd.conf
[domain/default]
ldap_tls_reqcert = demand
cache_credentials = False
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap.example.com/
ldap_id_use_start_tls = False
ldap_tls_cacert = /etc/sssd/ca-bundle.crt
[sssd]
config_file_version = 2
services = nss, pam, ssh
domains = default
[nss]
homedir_substring = /home
/etc/openldap/ldap.conf
TLS_CACERT /etc/sssd/ca-bundle.crt
#BASE dc=example,dc=com
#URI ldap://ldap.example.com/
SASL_NOCANON on
URI ldaps://ldap.example.com/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/sssd
/etc/nsswitch.conf
# Generated by authselect on Thu Jan 27 15:22:08 2022
# Do not modify this file manually.
passwd: sss files systemd
group: sss files systemd
netgroup: sss files
automount: sss files
services: sss files
# passwd: db files
# shadow: db files
# group: db files
# In order of likelihood of use to accelerate lookup.
shadow: files sss
hosts: files dns myhostname
aliases: files
ethers: files
gshadow: files
# Allow initgroups to default to the setting for group.
# initgroups: files
networks: files dns
protocols: files
publickey: files
rpc: files
/etc/sysconfig/authconfig
USELDAP=yes
USELDAPAUTH=yes
/etc/pam.d/password-auth
# Generated by authselect on Thu Jan 27 15:22:08 2022
# Do not modify this file manually.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
/etc/pam.d/system-auth
# Generated by authselect on Thu Jan 27 15:22:08 2022
# Do not modify this file manually.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
/etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
UsePAM yes
X11Forwarding yes
# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no
ClientAliveInterval 600
ClientAliveCountMax 0
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
/var/log/secure
Jan 28 08:35:39 opal sshd[206875]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx user=myusername
Jan 28 08:35:40 opal sshd[206875]: Failed password for myusername from xxx.xxx.xxx.xxx port 60384 ssh2
Attempts
I have tried the following:
- Disabling selinux in
/etc/selinux/config
- Stopping iptables.service
- Adding
PermitRootLogin yes
and UsePAM yes
to the Red Hat 8 /etc/ssh/sshd_conf
file
- Repeatedly tried
authselect select sssd
, and then restarting sssd.service
- Adding
FORCELEGACY=yes
in /etc/sysconfig/authconfig
Question
Can anyone help me figure out why users cannot use SSH to log in to this server?