Score:1

LDAP finds user, but "permission denied" when logging in

aw flag

I am setting up an LDAP client in Red Hat 8.

After setting up the config files I did an LDAP user test and it came back successfully:

# id myusername
uid=666(myusername) gid=510(active_users) groups=510(active_users)

If I run an ldapsearch it returns successfully with the expected results:

# ldapsearch -x -ZZ -h ldap.example.com -b dc=example,dc=com

But if I try to ssh to the Red Hat 8 machine from another machine then I get this error:

# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.

I have tried a couple of different machines with different user accounts and have gotten the same results.

Here is my setup:

/etc/sssd/sssd.conf

[domain/default]
ldap_tls_reqcert = demand
cache_credentials = False
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap.example.com/
ldap_id_use_start_tls = False
ldap_tls_cacert = /etc/sssd/ca-bundle.crt

[sssd]
config_file_version = 2
services = nss, pam, ssh
domains = default

[nss]
homedir_substring = /home

/etc/openldap/ldap.conf

TLS_CACERT /etc/sssd/ca-bundle.crt

#BASE dc=example,dc=com
#URI ldap://ldap.example.com/
SASL_NOCANON    on
URI ldaps://ldap.example.com/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/sssd

/etc/nsswitch.conf

# Generated by authselect on Thu Jan 27 15:22:08 2022
# Do not modify this file manually.

passwd:     sss files systemd
group:      sss files systemd
netgroup:   sss files
automount:  sss files
services:   sss files

# passwd:    db files
# shadow:    db files
# group:     db files

# In order of likelihood of use to accelerate lookup.
shadow:     files sss
hosts:      files dns myhostname

aliases:    files
ethers:     files
gshadow:    files
# Allow initgroups to default to the setting for group.
# initgroups: files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files

/etc/sysconfig/authconfig

USELDAP=yes
USELDAPAUTH=yes

/etc/pam.d/password-auth

# Generated by authselect on Thu Jan 27 15:22:08 2022
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so

/etc/pam.d/system-auth

# Generated by authselect on Thu Jan 27 15:22:08 2022
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so

/etc/ssh/sshd_config

# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

UsePAM yes

X11Forwarding yes

# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no

ClientAliveInterval 600
ClientAliveCountMax 0

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

/var/log/secure

Jan 28 08:35:39 opal sshd[206875]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx  user=myusername
Jan 28 08:35:40 opal sshd[206875]: Failed password for myusername from xxx.xxx.xxx.xxx port 60384 ssh2

Attempts

I have tried the following:

  • Disabling selinux in /etc/selinux/config
  • Stopping iptables.service
  • Adding PermitRootLogin yes and UsePAM yes to the Red Hat 8 /etc/ssh/sshd_conf file
  • Repeatedly tried authselect select sssd, and then restarting sssd.service
  • Adding FORCELEGACY=yes in /etc/sysconfig/authconfig

Question

Can anyone help me figure out why users cannot use SSH to log in to this server?

cn flag
Have you tried logging in to *both* systems as a *non-LDAP* user, and doing the `id` command on both? That would identify if it's a domain joining issue, or something else.
aw flag
@shearn89 I have logged in as a non-LDAP user and performed the `id` command on the Red Hat machine. From the machines that I am trying to SSH from, I am able to SSH to other machines using LDAP users.
cn flag
Sorry, is the Red Hat machine the server or client? Can you test the `id` command on BOTH server and client.
aw flag
The Red Hat machine is a server. Yes, the `id` command works on both the server and the client.
cn flag
Is time in sync between both?
aw flag
Good question, I checked and yes they are in sync
Score:0
aw flag

I finally found a solution, by creating a custom authselect profile with custom password-auth, system-auth, and nsswitch.conf files.

1. Create custom profile based off sssd

authselect create-profile user-profile -b sssd

2. Overwrite /etc/authselect/custom/user-profile/password-auth and /etc/authselect/custom/user-profile/system-auth with the following settings

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_sss.so
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_sss.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_sss.so
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     sufficient    pam_sss.so
session     required      pam_unix.so

3. Overwrite /etc/authselect/custom/user-profile/nsswitch.conf with the following settings

passwd:     files sss     {exclude if "with-custom-passwd"}
shadow:     files sss
group:      files sss     {exclude if "with-custom-group"}
netmasks:   files
networks:   files
netgroup:   files sss     {exclude if "with-custom-netgroup"}
automount:  files sss     {exclude if "with-custom-automount"}
services:   files sss     {exclude if "with-custom-services"}
sudoers:    files sss     {exclude if "with-sudo"}

4. Select new profile

authselect select custom/user-profile

5. Restart sssd

systemctrl restart sssd
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.