On 05/11/2015 10:06 AM, Ulrich Hiller wrote:> Hmmm...., i have made now a complete new install but the problem > persists: ldap authentication works, but the host attribute is ignored.Hate to say that we're running out of options. I had a CentOS 7 system similar to yours, with LDAP authentication. I added three lines to sssd.conf (for access provider, etc), restarted sssd, and users with no "host" attribute were denied. I didn't actually test users with a host attribute that didn't match, or with deny rules. So maybe there's a bug that needs to be looked at? Does authentication work for users that have no "host" attribute at all?> I have installed CentOS7 64bit with KDE. > I did not do any 'yum update' or install of extra packages so far.Update, see if that makes a difference. After that you'll probably have to turn up logging in sssd and check its logs to see what it's doing.
> > Hate to say that we're running out of options. I had a CentOS 7 system > similar to yours, with LDAP authentication. I added three lines to > sssd.conf (for access provider, etc), restarted sssd, and users with no > "host" attribute were denied. I didn't actually test users with a host > attribute that didn't match, or with deny rules. So maybe there's a bug > that needs to be looked at? Does authentication work for users that > have no "host" attribute at all?yes, it works for users that have no "host" attribute at all> >> I have installed CentOS7 64bit with KDE. >> I did not do any 'yum update' or install of extra packages so far. > > Update, see if that makes a difference.i did it, rebooted it. No differnce> > After that you'll probably have to turn up logging in sssd and check its > logs to see what it's doing.That's a good hint. I'll do that tomorrow. With kind regards, ulrich
> > After that you'll probably have to turn up logging in sssd and check its > logs to see what it's doing.i have set logging in sssd to 9: cache_credentials = true debug_level = 9 I first tried a user with the correct host attribute, then a user without the host attribute. The output in the logfiles are the same. Note: USER ist not a local user. Without correct ldap password the user cannot login. User with correct host attribute -------------------------------- (Tue May 12 13:16:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Tue May 12 13:16:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): domain: default (Tue May 12 13:16:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): user: USER (Tue May 12 13:16:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): service: sshd (Tue May 12 13:16:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): tty: ssh (Tue May 12 13:16:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): ruser: (Tue May 12 13:16:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): rhost: myhost.mydomain.com (Tue May 12 13:16:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): authtok type: 0 (Tue May 12 13:16:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue May 12 13:16:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): priv: 0 (Tue May 12 13:16:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): cli_pid: 5921 (Tue May 12 13:16:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): logon name: not set journalctl: May 12 13:16:36 localhost sshd[5917]: pam_unix(sshd:auth): unrecognized ENCRYPT_METHOD value [DES] May 12 13:16:36 localhost sshd[5917]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruserrhost=myhost.mydomain.com user=USER May 12 13:16:36 localhost sshd[5917]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost.mydomain.com user=USER May 12 13:16:36 localhost sshd[5917]: pam_unix(sshd:account): unrecognized ENCRYPT_METHOD value [DES] May 12 13:16:36 localhost sshd[5917]: Accepted password for USER from 999.999.999.999 port 33399 ssh2 May 12 13:16:36 localhost systemd[1]: Starting user-501.slice. May 12 13:16:36 localhost systemd[1]: Created slice user-501.slice. May 12 13:16:36 localhost systemd[1]: Starting Session 24 of user USER. May 12 13:16:36 localhost systemd[1]: Started Session 24 of user USER. May 12 13:16:36 localhost systemd-logind[601]: New session 24 of user USER. May 12 13:16:36 localhost sshd[5917]: pam_unix(sshd:session): unrecognized ENCRYPT_METHOD value [DES] May 12 13:16:36 localhost sshd[5917]: pam_unix(sshd:session): session opened for user USER by (uid=0) May 12 13:16:40 localhost sshd[5921]: Received disconnect from 999.999.999.999: 11: disconnected by user May 12 13:16:40 localhost sshd[5917]: pam_unix(sshd:session): unrecognized ENCRYPT_METHOD value [DES] May 12 13:16:40 localhost sshd[5917]: pam_unix(sshd:session): session closed for user USER May 12 13:16:40 localhost systemd-logind[601]: Removed session 24. User without host attribute: ---------------------------- sssd.log: (Tue May 12 13:27:46 2015) [sssd[be[default]]] [pam_print_data] (0x0100): command: PAM_CLOSE_SESSION (Tue May 12 13:27:46 2015) [sssd[be[default]]] [pam_print_data] (0x0100): domain: default (Tue May 12 13:27:46 2015) [sssd[be[default]]] [pam_print_data] (0x0100): user: USER (Tue May 12 13:27:46 2015) [sssd[be[default]]] [pam_print_data] (0x0100): service: sshd (Tue May 12 13:27:46 2015) [sssd[be[default]]] [pam_print_data] (0x0100): tty: ssh (Tue May 12 13:27:46 2015) [sssd[be[default]]] [pam_print_data] (0x0100): ruser: (Tue May 12 13:27:46 2015) [sssd[be[default]]] [pam_print_data] (0x0100): rhost: myhost.mydomain.com (Tue May 12 13:27:46 2015) [sssd[be[default]]] [pam_print_data] (0x0100): authtok type: 0 (Tue May 12 13:27:46 2015) [sssd[be[default]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue May 12 13:27:46 2015) [sssd[be[default]]] [pam_print_data] (0x0100): priv: 1 (Tue May 12 13:27:46 2015) [sssd[be[default]]] [pam_print_data] (0x0100): cli_pid: 6051 (Tue May 12 13:27:46 2015) [sssd[be[default]]] [pam_print_data] (0x0100): logon name: not set journalctl: May 12 13:27:44 localhost sshd[6051]: pam_unix(sshd:auth): unrecognized ENCRYPT_METHOD value [DES] May 12 13:27:44 localhost sshd[6051]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruserrhost=myhost.mydomain.com user=USER May 12 13:27:44 localhost sshd[6051]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost.mydomain.com user=USER May 12 13:27:44 localhost sshd[6051]: pam_unix(sshd:account): unrecognized ENCRYPT_METHOD value [DES] May 12 13:27:44 localhost sshd[6051]: Accepted password for USER from 999.999.999.999 port 33417 ssh2 May 12 13:27:44 localhost systemd[1]: Created slice user-501.slice. May 12 13:27:44 localhost systemd[1]: Starting Session 26 of user USER. May 12 13:27:44 localhost systemd[1]: Started Session 26 of user USER. May 12 13:27:44 localhost systemd-logind[601]: New session 26 of user USER. May 12 13:27:44 localhost sshd[6051]: pam_unix(sshd:session): unrecognized ENCRYPT_METHOD value [DES] May 12 13:27:44 localhost sshd[6051]: pam_unix(sshd:session): session opened for user USER by (uid=0) May 12 13:27:46 localhost sshd[6053]: Received disconnect from 999.999.999.999: 11: disconnected by user May 12 13:27:46 localhost sshd[6051]: pam_unix(sshd:session): unrecognized ENCRYPT_METHOD value [DES] May 12 13:27:46 localhost sshd[6051]: pam_unix(sshd:session): session closed for user USER May 12 13:27:46 localhost systemd-logind[601]: Removed session 26. Does this give anyone a clue? Whereelse can i look into? With kind regards, ulrich
On 05/12/2015 06:25 AM, Ulrich Hiller wrote:> > i have set logging in sssd to 9:7 might be good enough for what you want to find. I added this to domain/default section: access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host debug_level = 7 /var/log/sssd/sssd_default.log logged the following for one user which had no "host" attribute, and was denied login: ----- (Tue May 12 10:35:35 2015) [sssd[be[default]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [dc=private,dc=example,dc=net] (Tue May 12 10:35:35 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gordon)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=private,dc=example,dc=net]. (Tue May 12 10:35:35 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] ... (Tue May 12 10:35:35 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] ----- So, the user lookup definitely requested the host attribute. The authentication process logs to the same file: ----- (Tue May 12 10:35:36 2015) [sssd[be[default]]] [be_pam_handler] (0x0100): Got request with the following data (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): domain: default (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): user: gordon (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): service: sshd (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): tty: ssh (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): ruser: (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): rhost: 10.1.10.41 (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): authtok type: 0 (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): priv: 1 (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): cli_pid: 7871 (Tue May 12 10:35:36 2015) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [gordon] (Tue May 12 10:35:36 2015) [sssd[be[default]]] [sdap_access_host] (0x0020): Missing hosts. Access denied ----- Your log excerpt did not include "performing access check". I don't know if that's because it isn't in your log or because your excerpt was too short.