Score:0

sssd/ldap does not authenticate against LDAP

gb flag

I have configured SSSD with AD as ID and Auth providers. I am not caching credentials, so I expect connections to AD for authentication when I ssh to the host, but I do not see any. The user account is created:

# sssctl user-checks ams
user: ams
action: acct
service: system-auth

SSSD nss user lookup result:
 - user name: ams
 - user id: 1000
 - group id: 1000
 - gecos: Aaron Stromas
 - home directory: /home/ams
 - shell: /bin/bash

SSSD InfoPipe user lookup result:
 - name: ams
 - uidNumber: 1000
 - gidNumber: 1000
 - gecos: Aaron Stromas
 - homeDirectory: /home/ams
 - loginShell: /bin/bash

testing pam_acct_mgmt

pam_acct_mgmt: Success

PAM Environment:
 - no env -

but the logs do not show connections to AD for authentication. I checked that I can bind to AD from that host with my user credentials.

My sssd.conf is

[sssd]
services = nss, pam
domains = domain.com
debug_level = 9

[pam]
[domain/domain.com]
debug_level = 9
cache_credentials = False
ldap_id_mapping = True
ldap_schema = ad
min_id = 1000
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_access_order = filter
ldap_uri = ldaps://ad.domain.com:636
ldap_default_bind_dn = CN=SDO Service,CN=Users,DC=domain,DC=com
ldap_default_authtok = .....
ldap_search_base = CN=Users,DC=domain,DC=com
ldap_group_search_base = CN=Users,DC=domain,DC=com
ldap_access_filter = CN=ssh-users,CN=Users,DC=domain,DC=com
ldap_group_objectsid = objectSid
ldap_tls_cacert = /etc/pki/ca-trust/source/anchors/cacert.pem
ldap_tls_cipher_suite = HIGH
ldap_tls_reqcert = demand
ldap_opt_timeout = 30
ldap_network_timeout = 60
override_homedir = /home/%u
default_shell = /bin/bash

I expect to see pam_ldap in /var/log/secure but there is none

Nov  3 09:11:36 pwlslinux sshd[19221]: Failed publickey for ams from 192.168.1.10 port 54983 ssh2: RSA SHA256:8tNU.....................................o
Nov  3 09:11:36 pwlslinux sshd[19221]: debug3: mm_request_send entering: type 23
Nov  3 09:11:36 pwlslinux sshd[19221]: debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512 [preauth]
Nov  3 09:11:36 pwlslinux sshd[19221]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Nov  3 09:11:36 pwlslinux sshd[19221]: debug3: ensure_minimum_time_since: elapsed 5.156ms, delaying 3.811ms (requested 8.966ms) [preauth]
Nov  3 09:11:36 pwlslinux sshd[19221]: debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
Nov  3 09:11:36 pwlslinux sshd[19221]: debug3: send packet: type 51 [preauth]
Nov  3 09:11:40 pwlslinux sshd[19221]: debug3: receive packet: type 50 [preauth]
Nov  3 09:11:40 pwlslinux sshd[19221]: debug1: userauth-request for user ams service ssh-connection method password [preauth]
Nov  3 09:11:40 pwlslinux sshd[19221]: debug1: attempt 2 failures 1 [preauth]
Nov  3 09:11:40 pwlslinux sshd[19221]: debug2: input_userauth_request: try method password [preauth]
Nov  3 09:11:40 pwlslinux sshd[19221]: debug3: mm_auth_password entering [preauth]
Nov  3 09:11:40 pwlslinux sshd[19221]: debug3: mm_request_send entering: type 12 [preauth]
Nov  3 09:11:40 pwlslinux sshd[19221]: debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
Nov  3 09:11:40 pwlslinux sshd[19221]: debug3: mm_request_receive_expect entering: type 13 [preauth]
Nov  3 09:11:40 pwlslinux sshd[19221]: debug3: mm_request_receive entering [preauth]
Nov  3 09:11:40 pwlslinux sshd[19221]: debug3: mm_request_receive entering
Nov  3 09:11:40 pwlslinux sshd[19221]: debug3: monitor_read: checking request 12
Nov  3 09:11:40 pwlslinux sshd[19221]: debug3: PAM: sshpam_passwd_conv called with 1 messages
Nov  3 09:11:40 pwlslinux sshd[19221]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.10  user=ams
Nov  3 09:11:40 pwlslinux sshd[19221]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.10 user=ams
Nov  3 09:11:40 pwlslinux sshd[19221]: pam_sss(sshd:auth): received for user ams: 9 (Authentication service cannot retrieve authentication info)
Nov  3 09:11:42 pwlslinux sshd[19221]: debug1: PAM: password authentication failed for ams: Authentication failure
Nov  3 09:11:42 pwlslinux sshd[19221]: debug3: mm_answer_authpassword: sending result 0
Nov  3 09:11:42 pwlslinux sshd[19221]: debug3: mm_request_send entering: type 13
Nov  3 09:11:42 pwlslinux sshd[19221]: Failed password for ams from 192.168.1.10 port 54983 ssh2
Nov  3 09:11:42 pwlslinux sshd[19221]: debug3: mm_auth_password: user not authenticated [preauth]
Nov  3 09:11:42 pwlslinux sshd[19221]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Nov  3 09:11:42 pwlslinux sshd[19221]: debug3: ensure_minimum_time_since: elapsed 1733.198ms, delaying 562.131ms (requested 8.966ms) [preauth]
Nov  3 09:11:43 pwlslinux sshd[19221]: debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
Nov  3 09:11:43 pwlslinux sshd[19221]: debug3: send packet: type 51 [preauth]

Any advice? What am I missing here? I've spent hours trying to figure it out.

I forgot to add PAM modules:

# cat /etc/pam.d/sshd
#%PAM-1.0
auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin
# cat /etc/pam.d/password-auth 
# Generated by authselect on Thu Nov  3 08:01:25 2022
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     optional                                     pam_oddjob_mkhomedir.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional 

My understanding is that there should be pam_ldap.so in one of the modules, perhaps, password-auth but when I grep or it, I don't see it. I would add it to password-auth but it is generated by authselect.

Romeo Ninov avatar
in flag
Just shoot in the darkness: try to add quotes around `CN=SDO Service,CN=Users,DC=domain,DC=com`
user2634153 avatar
gb flag
Since the users are loaded correctly, I don't think it's a problem. However, I did try it and it did not make any difference. My suspicion is it has to do with PAM configuration.
user1686 avatar
fr flag
Even if the users are loaded correctly, why are you using all this custom LDAP configuration instead of letting sssd handle AD like AD (with its own user lookups and Kerberos authentication and everything)?
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.