I have configured SSSD with AD as ID and Auth providers. I am not caching credentials, so I expect connections to AD for authentication when I ssh to the host, but I do not see any. The user account is created:
# sssctl user-checks ams
user: ams
action: acct
service: system-auth
SSSD nss user lookup result:
- user name: ams
- user id: 1000
- group id: 1000
- gecos: Aaron Stromas
- home directory: /home/ams
- shell: /bin/bash
SSSD InfoPipe user lookup result:
- name: ams
- uidNumber: 1000
- gidNumber: 1000
- gecos: Aaron Stromas
- homeDirectory: /home/ams
- loginShell: /bin/bash
testing pam_acct_mgmt
pam_acct_mgmt: Success
PAM Environment:
- no env -
but the logs do not show connections to AD for authentication. I checked that I can bind to AD from that host with my user credentials.
My sssd.conf is
[sssd]
services = nss, pam
domains = domain.com
debug_level = 9
[pam]
[domain/domain.com]
debug_level = 9
cache_credentials = False
ldap_id_mapping = True
ldap_schema = ad
min_id = 1000
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_access_order = filter
ldap_uri = ldaps://ad.domain.com:636
ldap_default_bind_dn = CN=SDO Service,CN=Users,DC=domain,DC=com
ldap_default_authtok = .....
ldap_search_base = CN=Users,DC=domain,DC=com
ldap_group_search_base = CN=Users,DC=domain,DC=com
ldap_access_filter = CN=ssh-users,CN=Users,DC=domain,DC=com
ldap_group_objectsid = objectSid
ldap_tls_cacert = /etc/pki/ca-trust/source/anchors/cacert.pem
ldap_tls_cipher_suite = HIGH
ldap_tls_reqcert = demand
ldap_opt_timeout = 30
ldap_network_timeout = 60
override_homedir = /home/%u
default_shell = /bin/bash
I expect to see pam_ldap in /var/log/secure but there is none
Nov 3 09:11:36 pwlslinux sshd[19221]: Failed publickey for ams from 192.168.1.10 port 54983 ssh2: RSA SHA256:8tNU.....................................o
Nov 3 09:11:36 pwlslinux sshd[19221]: debug3: mm_request_send entering: type 23
Nov 3 09:11:36 pwlslinux sshd[19221]: debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512 [preauth]
Nov 3 09:11:36 pwlslinux sshd[19221]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Nov 3 09:11:36 pwlslinux sshd[19221]: debug3: ensure_minimum_time_since: elapsed 5.156ms, delaying 3.811ms (requested 8.966ms) [preauth]
Nov 3 09:11:36 pwlslinux sshd[19221]: debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
Nov 3 09:11:36 pwlslinux sshd[19221]: debug3: send packet: type 51 [preauth]
Nov 3 09:11:40 pwlslinux sshd[19221]: debug3: receive packet: type 50 [preauth]
Nov 3 09:11:40 pwlslinux sshd[19221]: debug1: userauth-request for user ams service ssh-connection method password [preauth]
Nov 3 09:11:40 pwlslinux sshd[19221]: debug1: attempt 2 failures 1 [preauth]
Nov 3 09:11:40 pwlslinux sshd[19221]: debug2: input_userauth_request: try method password [preauth]
Nov 3 09:11:40 pwlslinux sshd[19221]: debug3: mm_auth_password entering [preauth]
Nov 3 09:11:40 pwlslinux sshd[19221]: debug3: mm_request_send entering: type 12 [preauth]
Nov 3 09:11:40 pwlslinux sshd[19221]: debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
Nov 3 09:11:40 pwlslinux sshd[19221]: debug3: mm_request_receive_expect entering: type 13 [preauth]
Nov 3 09:11:40 pwlslinux sshd[19221]: debug3: mm_request_receive entering [preauth]
Nov 3 09:11:40 pwlslinux sshd[19221]: debug3: mm_request_receive entering
Nov 3 09:11:40 pwlslinux sshd[19221]: debug3: monitor_read: checking request 12
Nov 3 09:11:40 pwlslinux sshd[19221]: debug3: PAM: sshpam_passwd_conv called with 1 messages
Nov 3 09:11:40 pwlslinux sshd[19221]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.10 user=ams
Nov 3 09:11:40 pwlslinux sshd[19221]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.10 user=ams
Nov 3 09:11:40 pwlslinux sshd[19221]: pam_sss(sshd:auth): received for user ams: 9 (Authentication service cannot retrieve authentication info)
Nov 3 09:11:42 pwlslinux sshd[19221]: debug1: PAM: password authentication failed for ams: Authentication failure
Nov 3 09:11:42 pwlslinux sshd[19221]: debug3: mm_answer_authpassword: sending result 0
Nov 3 09:11:42 pwlslinux sshd[19221]: debug3: mm_request_send entering: type 13
Nov 3 09:11:42 pwlslinux sshd[19221]: Failed password for ams from 192.168.1.10 port 54983 ssh2
Nov 3 09:11:42 pwlslinux sshd[19221]: debug3: mm_auth_password: user not authenticated [preauth]
Nov 3 09:11:42 pwlslinux sshd[19221]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Nov 3 09:11:42 pwlslinux sshd[19221]: debug3: ensure_minimum_time_since: elapsed 1733.198ms, delaying 562.131ms (requested 8.966ms) [preauth]
Nov 3 09:11:43 pwlslinux sshd[19221]: debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
Nov 3 09:11:43 pwlslinux sshd[19221]: debug3: send packet: type 51 [preauth]
Any advice? What am I missing here? I've spent hours trying to figure it out.
I forgot to add PAM modules:
# cat /etc/pam.d/sshd
#%PAM-1.0
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
# cat /etc/pam.d/password-auth
# Generated by authselect on Thu Nov 3 08:01:25 2022
# Do not modify this file manually.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional
My understanding is that there should be pam_ldap.so in one of the modules, perhaps, password-auth but when I grep or it, I don't see it. I would add it to password-auth but it is generated by authselect.
