I have a CoreOS server which i connected to my LDAP server. I get a correct answer after using id and ldapsearch commands. However, i still not able to login with SSH.
I can see on sssd_LDAP.log file that the server has received the request to login with the user (my_user), but the request was rejected.
tail -f /var/log/sssd/sssd_LDAP.log
(Sun Nov 13 15:06:29 2016) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
(Sun Nov 13 15:06:49 2016) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=etcd]
(Sun Nov 13 15:06:49 2016) [sssd[be[LDAP]]] [sysdb_get_real_name] (0x0040): Cannot find user [etcd] in cache
(Sun Nov 13 15:06:49 2016) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
(Sun Nov 13 15:07:10 2016) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=etcd]
(Sun Nov 13 15:07:10 2016) [sssd[be[LDAP]]] [sysdb_get_real_name] (0x0040): Cannot find user [etcd] in cache
(Sun Nov 13 15:07:10 2016) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
(Sun Nov 13 15:07:30 2016) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=etcd]
(Sun Nov 13 15:07:30 2016) [sssd[be[LDAP]]] [sysdb_get_real_name] (0x0040): Cannot find user [etcd] in cache
(Sun Nov 13 15:07:30 2016) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=etcd]
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [sysdb_get_real_name] (0x0040): Cannot find user [etcd] in cache
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=my_user]
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [sdap_initgr_nested_send] (0x0100): User entry lacks original memberof ?
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [be_pam_handler] (0x0100): Got request with the following data
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): domain: LDAP
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): user: my_user
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): service: sshd
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): tty: ssh
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): ruser:
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): rhost: x.x.x.x
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): authtok type: 0
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): newauthtok type: 0
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): priv: 1
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): cli_pid: 21280
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): logon name: not set
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 7, <NULL>) [Success (Authentication failure)]
(Sun Nov 13 15:07:51 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sending result [7][LDAP]
Does anyone know what is the issue?
Update: I have deleted the configuration files under /etc, as the default PAM config under /usr enables sssd.
Here are the current errors:
Dec 12 09:33:07 localhost sshd[3298]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=my_user
Dec 12 09:33:07 localhost sshd[3298]: pam_sss(sshd:auth): received for user my_user: 7 (Authentication failure)
Dec 12 09:33:11 localhost sshd[3298]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=my_user
Dec 12 09:33:14 localhost sshd[3296]: PAM: Authentication failure for my_user from x.x.x.x
Here are the current configuration:
cat system-auth
auth required pam_env.so
auth sufficient pam_sss.so use_first_pass
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_deny.so
account required pam_unix.so
# Don't fail if the user is unknown to sssd or if sssd isn't running
account required pam_sss.so ignore_unknown_user ignore_authinfo_unavail
account optional pam_permit.so
password sufficient pam_unix.so try_first_pass nullok sha512 shadow
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
session optional pam_sss.so
-session optional pam_systemd.so
cat sshd
auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login
Best Answer
According to this line:
There was no password passed from the PAM stack towards SSSD (authtok type 0 means no password, 1 would be password), so there is nothign SSSD can use to authenticate towards the LDAP server.
I would recommend to check the PAM configuration (although I have never used coreos myself, so I have no idea how the PAM stack looks like there..)