Thanks a lot for looking over the config. I am at the topic "user data is available" id <username> and getent passwd and ldapsearch -x -b "ou=XXX,o=YYY" uid=<username> give the correct results ldapsearch gives also the correct host attribute i have set in the ldap server. Regarding the manpage of sssd.conf the lines access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host should be correct. login with the wrong password gives a denied login. login with the correct password always works. This is my sitution since the begin of my thread. When i login from a "wrong" host which is different than the one in the host attribute of the ldap, i expect a message like the one from my opensuse boxes where it works: opensuse: sshd[7926]: pam_sss(sshd:account): Access denied for user>username>: 6 (Permission denied)But instead i get centos: sshd[7929]: pam_unix(sshd:session): session opened for user <username> and i am in. [ ssh'ing and login locally at the console give the same results ] So, maybe it is a pam problem. Comparing the pam.d of my opensuse boxes with my centos box i see common-* files which are inluced, e.g. in the sshd file. They do not exist in centos. Instead i have there the system-auth where the common files should be combined. Fiddling around with the contence of my opensuse commen-* in my centos box's system-auth i did not get further. I have installed on centos: fprintd-pam-0.5.0-4.0.el7_0.x86_64 pam-1.1.8-12.el7.x86_64 gnome-keyring-pam-3.8.2-10.el7.x86_64 pam_krb5-2.4.8-4.el7.x86_64 Are you sure i do not need nss-pam-ldapd? Googling around i have read something about a /etc/nslcd.conf which comes with this package. Is that needed? On my opensuse i have much more: gnome-keyring-pam-3.10.1-6.1.x86_64 pam-config-0.86-2.1.2.x86_64 pam-1.1.8-6.1.x86_64 gnome-keyring-pam-32bit-3.10.1-6.1.x86_64 pam-modules-12.1-20.1.2.x86_64 pam_ldap-186-6.1.3.x86_64 pam-devel-1.1.8-6.1.x86_64 pam-32bit-1.1.8-6.1.x86_64 pam-modules-32bit-12.1-20.1.2.x86_64 pam_ldap-32bit-186-6.1.3.x86_64 With kind regards and sorry for the stupid newbie's questions, ulrich On 05/06/2015 07:02 PM, Gordon Messmer wrote:> On 05/06/2015 07:24 AM, Ulrich Hiller wrote: >> >> Now i have removed the 'ldap' from the /etc/nsswitch.conf. Now it looks >> like this: > > Looks good. > >> My /etc/openldap/ldap.conf is this: > > OK, but that file isn't used for name service or authentication. Mostly > just the openldap tools (ldapsearch, ldapadd, ldapmodify). > >> The sssd.conf is this: > ... >> [nss] >> filter_groups = root >> filter_users = root > > nitpick: those are the defaults. Probably don't need to set them. > >> [domain/default] >> ldap_id_use_start_tls = True >> ldap_tls_cacertdir = /etc/ssl/certs >> ldap_tls_reqcert = never > > Not sure about that setting. "allow" is probably what you want if > you're using starttls. > >> access_provider = ldap >> ldap_access_order = host >> ldap_user_authorized_host = host > ... >> When i stop the sssd deamon, no login at all is possible. > > OK. Remember that previously you had both sssd and ldap configured to > provide user information. > > You'll want to watch the logs for more information. > > Start by determining whether the problem is in the name service or > authentication step. Use "id <user>" or "getent passwd <user>" to > determine whether user information is available through sssd. If it is > not, then you probably want to start paring out settings that you added > (assuming that you started with a file written by authconfig) until > that's working. > > If user data is available, then start looking at your pam configuration. > It looks like you made some changes there, and not all of them make > sense. In the auth stack, you're calling pam_unix.so twice. Remove the > last one. You've also marked pam_sss.so as required instead of > sufficient, which is definitely wrong. On success of a "sufficient" > module, processing stops. On success of a "required" module, processing > will continue, and will reach pam_deny.so. See the man page for > pam.conf for more information. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >
On 05/07/2015 12:07 PM, Ulrich Hiller wrote:> login with the wrong password gives a denied login. > login with the correct password always works. > > This is my sitution since the begin of my thread.Got it. I misread part of your last message, and thought that logins were /not/ working when sssd was running.> But instead i get > centos: sshd[7929]: pam_unix(sshd:session): session opened for user > <username>"pam_unix" should be an indication that <username> appears in the local unix password files. Make sure that it doesn't. What do /etc/pam.d/sshd and /etc/pam.d/system-auth contain, currently?> So, maybe it is a pam problem.Looks that way to me.> I have installed on centos: > fprintd-pam-0.5.0-4.0.el7_0.x86_64 > pam-1.1.8-12.el7.x86_64 > gnome-keyring-pam-3.8.2-10.el7.x86_64 > pam_krb5-2.4.8-4.el7.x86_64 > > Are you sure i do not need nss-pam-ldapd?Yes. nss-pam-ldapd does, essentially, the same thing that sssd does. You also don't need pam_krb5. sssd has krb5 modules to support Kerberos login.> Googling around i have read > something about a /etc/nslcd.conf which comes with this package. Is that > needed?No. Before sssd, there was nss_ldap. It sometimes caused boot problems by trying to connect to an LDAP server for user data before the network was up. nss-pam-ldapd was written to address that with a daemon that handled queries, which was started after network init. That mostly solved the problem for LDAP. sssd does mostly the same thing, but handles LDAP, krb5, as well as extensions for FreeIPA and Active Directory. It can cache credentials for offline use (for laptops). When using sssd, you don't need the older PAM or NSS modules.> On my opensuse i have much more:I'm not terribly familiar with opensuse's authentication setup. Your log says you're using sss there, so most of those modules are probably installed but unused.
>> But instead i get >> centos: sshd[7929]: pam_unix(sshd:session): session opened for user >> <username> > > "pam_unix" should be an indication that <username> appears in the local > unix password files. Make sure that it doesn't.Nope. None of the usernames i tried is in /etc/passwd or /etc/shadow> > What do /etc/pam.d/sshd and /etc/pam.d/system-auth contain, currently?/etc/pam.d/sshd: ---------------- #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth session include postlogin session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 /etc/pam.d/system-auth: ----------------------- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 200 quiet_success auth sufficient pam_sss.so use_first_pass auth required pam_deny.so auth required pam_env.so auth optional pam_gnome_keyring.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 2000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so account requisite pam_unix.so try_first_pass account sufficient pam_localuser.so account required pam_sss.so use_first_pass account sufficient pam_localuser.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_typepassword sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so password requisite pam_cracklib.so password optional pam_gnome_keyring.so use_authtok password sufficient pam_unix.so use_authtok nullok shadow try_first_pass password required pam_sss.so use_authtok session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session sufficient pam_sss.so session required pam_unix.so try_first_pass session optional pam_umask.so session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm With kind regards, ulrich