> Ronny Forberger <ronnyforberger at ronnyforberger.de> hat am 13. November 2016 um > 11:29 geschrieben: > > Hi, > > > Alan Hicks via freebsd-security <freebsd-security at freebsd.org> hat am 13. > > November 2016 um 10:37 geschrieben: > > > > > > > > On 12/11/2016 17:07, Ronny Forberger wrote: > > > Hi, > > > I am using SSSD and FreeBSD to authenticate against samba4. > > > I used this howto setting all up: > > > http://serverfault.com/questions/599200/how-to-integrate-active-directory-with-freebsd-10-0-using-security-sssd > > > > > > But when I want to logon using password, i.e. via dovecot I get wrong > > > password. > > > Neigher can I use sudo typing the correct samba4 password. > > > > > > Also I get a prompt [I have no name!@HOSTNAME] and my files, which I > > > chowned & > > > chgrped to the samba user and group only show IDs as owner. > > This means the system does not know who you are. What authentication > > system are you using? For example using net/nss-pam-ldap here gives the > > same error when ldap goes away or upgrading ports. Restarting the > > authentication service restores access here. > > I am using sssd but restarting sssd didn't help. Any other ideas? >I found out, that /var/run/sss needed mode 0755. But I still can't use passwords. My /etc/pam.d/system looks like: # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_sss.so auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so account required /usr/local/lib/pam_sss.so ignore_unknown_user # session #session optional pam_ssh.so want_agent session required pam_lastlog.so no_fail session optional /usr/local/lib/pam_sss.so # password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_sss.so use_authtok password required pam_unix.so no_warn try_first_pass What am I doing wrong? Best regards, Ronny> > > > > > > > Any ideas how to solve this? Can this maybe be a permission problem with > > > some > > > file for sssd / NSS which an unprivileged user cannot read? > > > > > > Best regards, > > > Ronny Forberger > > > ___________________________________ > > > Ronny Forberger > > > ronnyforberger at ronnyforberger.de > > > PGP: http://www.ronnyforberger.de/pgp/email-encryption.html > > > _______________________________________________ > > > freebsd-security at freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/freebsd-security > > > To unsubscribe, send any mail to > > > "freebsd-security-unsubscribe at freebsd.org" > > > > > > > Regards, > > Alan > > _______________________________________________ > > freebsd-security at freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org" > > > Best regards, > Ronny > ___________________________________ > Ronny Forberger > ronnyforberger at ronnyforberger.de > PGP: http://www.ronnyforberger.de/pgp/email-encryption.html >___________________________________ Ronny Forberger ronnyforberger at ronnyforberger.de PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
Dag-Erling Smørgrav
2016-Nov-14 09:26 UTC
I have no name prompt and no passwords recognized
Ronny Forberger <ronnyforberger at ronnyforberger.de> writes:> # auth > auth sufficient pam_opie.so no_warn no_fake_prompts > auth requisite pam_opieaccess.so no_warn allow_local > #auth sufficient pam_krb5.so no_warn try_first_pass > #auth sufficient pam_ssh.so no_warn try_first_pass > auth sufficient /usr/local/lib/pam_sss.so > auth required pam_unix.so no_warn try_first_pass nullokI don't have the answer to your question, but I'd like to point out that you don't need to include the full path to the module. PAM will look in /usr/local/lib if it can't find the module in /usr/lib. You can even leave out the .so suffix (since OpenPAM Nummularia / FreeBSD 9.3) Two other things: 1) make sure the service you're trying to use actually uses the system policy or a policy that includes it (sshd doesn't) and 2) if you add the "debug" keyword to every pam_sss line in your PAM policy, OpenPAM will log every call to the pam_sss module, everything it does on behalf of that module, and the outcome of the call through syslog (by default, it should go to /var/log/debug.log). DES -- Dag-Erling Sm?rgrav - des at des.no