Thanks a lot for looking over the config.
I am at the topic "user data is available"
id <username> and getent passwd and ldapsearch -x -b "ou=XXX,o=YYY" uid=<username>
give the correct results ldapsearch gives also the correct host attribute i have set in the ldap server.
Regarding the manpage of sssd.conf the lines access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host should be correct.
login with the wrong password gives a denied login. login with the correct password always works.
This is my sitution since the begin of my thread.
When i login from a "wrong" host which is different than the one in the host attribute of the ldap, i expect a message like the one from my opensuse boxes where it works:
opensuse: sshd[7926]: pam_sss(sshd:account): Access denied for user
username>: 6 (Permission denied)
But instead i get centos: sshd[7929]: pam_unix(sshd:session): session opened for user <username> and i am in.
[ ssh'ing and login locally at the console give the same results ]
So, maybe it is a pam problem.
Comparing the pam.d of my opensuse boxes with my centos box i see common-* files which are inluced, e.g. in the sshd file. They do not exist in centos. Instead i have there the system-auth where the common files should be combined. Fiddling around with the contence of my opensuse commen-* in my centos box's system-auth i did not get further.
I have installed on centos: fprintd-pam-0.5.0-4.0.el7_0.x86_64 pam-1.1.8-12.el7.x86_64 gnome-keyring-pam-3.8.2-10.el7.x86_64 pam_krb5-2.4.8-4.el7.x86_64
Are you sure i do not need nss-pam-ldapd? Googling around i have read something about a /etc/nslcd.conf which comes with this package. Is that needed?
On my opensuse i have much more: gnome-keyring-pam-3.10.1-6.1.x86_64 pam-config-0.86-2.1.2.x86_64 pam-1.1.8-6.1.x86_64 gnome-keyring-pam-32bit-3.10.1-6.1.x86_64 pam-modules-12.1-20.1.2.x86_64 pam_ldap-186-6.1.3.x86_64 pam-devel-1.1.8-6.1.x86_64 pam-32bit-1.1.8-6.1.x86_64 pam-modules-32bit-12.1-20.1.2.x86_64 pam_ldap-32bit-186-6.1.3.x86_64
With kind regards and sorry for the stupid newbie's questions, ulrich
On 05/06/2015 07:02 PM, Gordon Messmer wrote:
On 05/06/2015 07:24 AM, Ulrich Hiller wrote:
Now i have removed the 'ldap' from the /etc/nsswitch.conf. Now it looks like this:
Looks good.
My /etc/openldap/ldap.conf is this:
OK, but that file isn't used for name service or authentication. Mostly just the openldap tools (ldapsearch, ldapadd, ldapmodify).
The sssd.conf is this:
...
[nss] filter_groups = root filter_users = root
nitpick: those are the defaults. Probably don't need to set them.
[domain/default] ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/ssl/certs ldap_tls_reqcert = never
Not sure about that setting. "allow" is probably what you want if you're using starttls.
access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host
...
When i stop the sssd deamon, no login at all is possible.
OK. Remember that previously you had both sssd and ldap configured to provide user information.
You'll want to watch the logs for more information.
Start by determining whether the problem is in the name service or authentication step. Use "id <user>" or "getent passwd <user>" to determine whether user information is available through sssd. If it is not, then you probably want to start paring out settings that you added (assuming that you started with a file written by authconfig) until that's working.
If user data is available, then start looking at your pam configuration. It looks like you made some changes there, and not all of them make sense. In the auth stack, you're calling pam_unix.so twice. Remove the last one. You've also marked pam_sss.so as required instead of sufficient, which is definitely wrong. On success of a "sufficient" module, processing stops. On success of a "required" module, processing will continue, and will reach pam_deny.so. See the man page for pam.conf for more information.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos