Ldap – Fedora 21 pam_sss authentication failure – permission denied

fedoraldappamsssd

We have configured a OpenLDAP server which is working fine. FreeBSD, Debian, and a WordPress plugin authenticate with no problems. We are configuring Fedora 21 with pam_sss, but we get the following error in /var/log/secure:

Mar  1 00:15:00 www sshd[1176]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=199.100.16.39  user={REDACTED}
Mar  1 00:15:00 www sshd[1176]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=199.100.16.39 user={REDACTED}
Mar  1 00:15:00 www sshd[1176]: pam_sss(sshd:auth): received for user {REDACTED}: 6 (Permission denied)

getent passwd {REDACTED} returns

{REDACTED}:*:1000:500:{REDACTED (full user name)}:/home/users/{REDACTED}:

The command I ran the configure the client is

authconfig --enableldap --enableldapauth --ldapserver='ldap://{REDACTED (IP)}:389/' --ldapbasedn='dc={REDACTED},dc={REDACTED},dc=com' --enablemkhomedir --enableshadow  --update

We have searched online for information about this specific error (the combination of authentication failure and 6 (Permission denied)), but have not found any instances where it has been solved.

Best Answer

I found the solution to the problem. By running sssd -i -d 4 and trying to log in on a different console, I saw that START TLS was where the login failed. Apparently Red Hat and Fedora by default use TLS. The server does not have TLS (we don't have enough time right now). To disable TLS edit /etc/sysconfig/authconfig on the client machine and update FORCELEGACY=no to FORCELEGACY=yes.

Credit to http://www.linuxquestions.org/questions/linux-enterprise-47/rhel-6-ldap-now-requires-tls-843917/

(Thank you Andy for trying to help!)

Related Solutions

Fedora 16: “Permission denied: file permissions deny server access”

If memory serves, you probably need to run chcon -R -h -t httpd_sys_content_t /var/www/html

This recursively sets your content directory to the proper context for Apache.

Ldap – PAM: auth: pam_unix(dovecot:auth): authentication failure;

I do hate to revive a dead question but given that this is the top search result for "dovecot pam authentication failure ldap", let me add this bit of extra knowledge:

The only thing that I've seen in my testing that updates the shadowAccount attributes is the passwd command when you're modifying the password for a user in LDAP... Most other tools don't care much about the shadowAccount class and it's attributes, and won't touch them. However, I only find that shadowAccount classes need to be added to users if they're going to be logging into the host, since that does care. If you're just doing something like email authentication (Dovecot), then it's not much use. I could be wrong here, but I've yet to see anything other than a host login consult the shadowAccount attributes for anything.

Now, if you're having Dovecot authenticate through PAM (which, I assume you probably are, since Dovecot is querying it and you're changing nsswitch), then please bear in mind that while, yes, PAM will pay attention to those extra attributes, you still need the correct tooling to change them... meaning whatever is changing user passwords also needs to go through PAM. Unpopular opinion as it may be, if you're not requiring host logins, just services like Dovecot or others, there's no need to get PAM involved since it's going to be checking a lot more things that are likely going to be irrelevant. (At best it could enforce other things like, yes, password expirations, but personally I would not enforce things like that when the service you login to has no provision to change a password like that) It's likely easier in the long run to have non-host/shell login services check LDAP themselves, allowing for other things like search filters specific to that service.

However assuming you've set up Dovecot to check LDAP itself, and not rely on PAM, at the end of Dovecot's 10-auth.conf are a list of !include lines for different auth mechanisms, like LDAP, SQL, etc. By default, the file auth-system.conf.ext is included before other mechanisms, like LDAP. What this means is that, since, in my testing, Dovecot checks these in the order they're provided, Dovecot will first attempt to authenticate the user with PAM, and then, if that fails, authenticate with LDAP. Ergo, you'll get a PAM error stating, yes, the authentication failure (as well as the first one indicating what failure it is). If you changed this ordering so the method most likely to succeed (LDAP, one would assume) is queried first, then there would be no need to check with PAM, and, therefore, no error thrown by PAM.

To solve this you could comment out the !include auth-system.conf.ext, but this could potentically cause system users (like root or postmaster) to be considered non-existent if you don't have them set up in LDAP.

My personal solution to this one was to cut that line out and paste it at the bottom, like this:

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

!include auth-ldap.conf.ext

#!include auth-sql.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

!include auth-system.conf.ext

This means that Dovecot will first consult LDAP, then consult PAM if LDAP gave no results, as far as my testing has shown.

Best Answer

Related Solutions

Fedora 16: “Permission denied: file permissions deny server access”

Ldap – PAM: auth: pam_unix(dovecot:auth): authentication failure;

Related Topic