lists.arthurdejong.org
RSS feed

sssd/pam/pam_check_user_search throwing 'No matching domain for [user], fail!'

[Date Prev][Date Next] [Thread Prev][Thread Next]

sssd/pam/pam_check_user_search throwing 'No matching domain for [user], fail!'

Hello,

I have a large number of CentOS 6.3 clients attempting to authenticate via user accounts on an OSX (Lion) server running OpenDirectory/OpenLDAP.

My CentOS clients are fully updated, running nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64.  This nss-pam-ldapd package was apparently installed as an update in my systems on June 19th.

At one point, in the recent past, authentication on these systems worked fine.  The users for which it worked, are all cached and sssd still permits them to login in.  However, something changed (probably my configuration, or possibly the update) and now only the cached users can authenticate.  I should mention that numerous OSX clients and Windows 7 clients (with PGINA 2.1) are able to authenticate from the same OpenDirectory server.  While I don't rule it out, it seems unlikely that the server is at fault.

Below I have listed the contents of what I hope are the necessary log files and configuration files…  But here is my description of what is happening, as far as I seem to be able to go.  (If there are means of getting more information, I would like to know…).

As best I can tell, the authentication fails in pam when it displays the following message when user "cochran" attempts to login with ssh:

(Mon Aug 13 13:31:26 2012) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [cochran@default]
(Mon Aug 13 13:31:26 2012) [sssd[pam]] [ldb] (0x4000): tevent: Added timed event "ltdb_callback": 0x15b8510
(Mon Aug 13 13:31:26 2012) [sssd[pam]] [ldb] (0x4000): tevent: Added timed event "ltdb_timeout": 0x15b8630
(Mon Aug 13 13:31:26 2012) [sssd[pam]] [ldb] (0x4000): tevent: Destroying timer event 0x15b8630 "ltdb_timeout"
(Mon Aug 13 13:31:26 2012) [sssd[pam]] [ldb] (0x4000): tevent: Ending timer event 0x15b8510 "ltdb_callback"
(Mon Aug 13 13:31:26 2012) [sssd[pam]] [pam_check_user_search] (0x0040): No matching domain found for [cochran], fail!

In this case, "cochran" is a legitimate user account present on the LDAP server (domain "default" in sssd.conf).

nslcd appears to be able to perform successful LDAP searches as evidenced by:

[root@ecs325-10 sssd]# getent passwd cochran
cochran:x:10001:10199:Wayne Cochran:/Network/Servers/delta.labs.encs/Volumes/Files/users/cochran:/bin/bash
[root@ecs325-10 sssd]# getent shadow cochran
cochran:*:::::::0

and by the debug output of nslcd listed at the end of this email.

At the same time, debug output from pam_succeed_if and pam_sss are as follows (from /var/log/messages):

Aug 13 13:31:26 localhost unix_chkpwd[11690]: check pass; user unknown
Aug 13 13:31:26 localhost unix_chkpwd[11690]: password check failed for user (cochran)
Aug 13 13:31:26 localhost sshd[11687]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=cochran
Aug 13 13:31:26 localhost sshd[11687]: pam_succeed_if(sshd:auth): 'uid' resolves to '10001'
Aug 13 13:31:26 localhost sshd[11687]: pam_succeed_if(sshd:auth): requirement "uid >= 500" was met by user "cochran"
Aug 13 13:31:26 localhost sshd[11687]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=cochran
Aug 13 13:31:26 localhost sshd[11687]: pam_sss(sshd:auth): received for user cochran: 10 (User not known to the underlying authentication module)
Aug 13 13:31:28 localhost sshd[11687]: Failed password for cochran from ::1 port 57555 ssh2
Aug 13 13:31:32 localhost sshd[11688]: Connection closed by ::1

I would like to note in the log entries above, pam_succeed_if finds the LDAP entries and successfully tests the correct UID (10001).

I do not understand how pam_sss then reports "User not known to the underlying authentication module". I assume this error is effectively the result of the "No matching domain found…" message see above in the sssd_pam.log file.  My understanding of these modules is apparently insufficient to determine why, if nslcd and pam_succeed_if can find the user in the LDAP directory, pam_check_user_search cannot.  Any ideas?

I would very much appreciate some help identifying the issue here.  As I indicated above, this did work previously.  I have listed my configuration files below along with the debug output of nslcd.

I seem to be unable to get anymore testing/debugging information from sssd/pam/nslcd and have hit a wall.

Thanks in advance for your time and consideration,

Dick Lang
WSU Vancouver

------------ /etc/nsswitch.conf ----------------

passwd:     files ldap
shadow:     files ldap
group:      files ldap

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files ldap

publickey:  nisplus

-------------- password-auth -----------------

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 debug
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

--------------- /etc/sssd/sssd.conf -----------------------

[sssd]
debug_level = 0xFFFF
config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
# domains = LDAP

domains = default
[nss]
debug_level = 0xFFFF

[pam]
debug_level = 0xFFFF
pam_verbosity = 3

# Example LDAP domain
# [domain/LDAP]
# id_provider = ldap
# auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
# ldap_schema = rfc2307
# ldap_search_base = dc=mydomain,dc=org
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
# enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
# cache_credentials = true

# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For Unix and map LDAP attributes onto
# msSFU30* attribute names.
# [domain/AD]
# id_provider = ldap
# auth_provider = krb5
# chpass_provider = krb5
#
# ldap_search_base = dc=example,dc=com
# ldap_schema = rfc2307bis
# ldap_sasl_mech = GSSAPI
# ldap_user_object_class = user
# ldap_group_object_class = group
# ldap_user_home_directory = unixHomeDirectory
# ldap_user_principal = userPrincipalName
# ldap_account_expire_policy = ad
# ldap_force_upper_case_realm = true
#
# krb5_server = your.ad.example.com
# krb5_realm = EXAMPLE.COM
[domain/default]
debug_level = 0xFFFF
auth_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
cache_credentials = True
krb5_realm = EXAMPLE.COM
ldap_search_base = dc=delta,dc=labs,dc=encs
id_provider = ldap
ldap_tls_cacertdir = /etc/openldap/cacerts

-------------- /etc/nslcd.conf -------------------------

# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.

# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name of the search base.
# base dc=example,dc=com

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret

# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com

# The default search scope.
#scope sub
#scope one
#scope base

# Customize certain database lookups.
#base   group  ou=Groups,dc=example,dc=com
#base   passwd ou=People,dc=example,dc=com
#base   shadow ou=People,dc=example,dc=com
#scope  group  onelevel
#scope  hosts  sub

# Bind/connect timelimit.
#bind_timelimit 30

# Search timelimit.
#timelimit 30

# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
idle_timelimit 3600

# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never

# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# NDS mappings
#map group uniqueMember member

# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map    passwd uid              msSFU30Name
#map    passwd userPassword     msSFU30Password
#map    passwd homeDirectory    msSFU30HomeDirectory
#map    passwd homeDirectory    msSFUHomeDirectory
#filter shadow (objectClass=User)
#map    shadow uid              msSFU30Name
#map    shadow userPassword     msSFU30Password
#filter group  (objectClass=Group)
#map    group  uniqueMember     msSFU30PosixMember

# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map    passwd uid              msSFUName
#map    passwd userPassword     msSFUPassword
#map    passwd homeDirectory    msSFUHomeDirectory
#map    passwd gecos            msSFUName
#filter shadow (objectClass=User)
#map    shadow uid              msSFUName
#map    shadow userPassword     msSFUPassword
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=Group)
#map    group  uniqueMember     posixMember

# Mappings for Active Directory
#pagesize 1000
#referrals off
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    passwd uid              sAMAccountName
#map    passwd homeDirectory    unixHomeDirectory
#map    passwd gecos            displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    shadow uid              sAMAccountName
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=group)
#map    group  uniqueMember     member

# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map    passwd uid              userName
#map    passwd userPassword     passwordChar
#map    passwd uidNumber        uid
#map    passwd gidNumber        gid
#filter group  (objectClass=aixAccessGroup)
#map    group  cn               groupName
#map    group  uniqueMember     member
#map    group  gidNumber        gid
uid nslcd
gid ldap
# This comment prevents repeated auto-migration of settings.
base dc=delta,dc=labs,dc=encs
ssl on
tls_reqcert never
tls_cacertdir /etc/openldap/cacerts

---------------------- nscld debug output (nscld -d -d) -----------------------

nslcd: [9cf92e] DEBUG: myldap_get_entry(): retry search
nslcd: [9cf92e] DEBUG: ldap_initialize(ldaps://delta.labs.encs/)
ldap_create
ldap_url_parse_ext(ldaps://delta.labs.encs/)
nslcd: [9cf92e] DEBUG: ldap_set_rebind_proc()
nslcd: [9cf92e] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [9cf92e] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [9cf92e] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [9cf92e] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [9cf92e] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [9cf92e] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [9cf92e] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [9cf92e] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [9cf92e] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://delta.labs.encs/")
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP delta.labs.encs:636
ldap_new_socket: 11
ldap_prepare_socket: 11
ldap_connect_to_host: Trying 172.16.0.5:636
ldap_pvt_connect: fd: 11 tm: 10 async: 0
ldap_ndelay_on: 11
ldap_int_poll: fd: 11 tm: 10
ldap_is_sock_ready: 11
ldap_ndelay_off: 11
ldap_pvt_connect: 0
TLS: certificate [E=dick_lang [at] vancouver.wsu.edu,C=US,CN=delta.labs.encs] is valid
TLS certificate verification: subject: E=dick_lang [at] vancouver.wsu.edu,C=US,CN=delta.labs.encs, issuer: E=dick_lang [at] vancouver.wsu.edu,OU=MACOSX OpenDirectory Intermediate CA,O=Washington State University Vancouver,CN=IntermediateCA_DELTA.LABS.ENCS_1, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 0, cache not reusable: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x7f8c14016f00 msgid 1
wait4msg ld 0x7f8c14016f00 msgid 1 (timeout 10000000 usec)
wait4msg continue ld 0x7f8c14016f00 msgid 1 all 1
** ld 0x7f8c14016f00 Connections:
* host: delta.labs.encs  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Mon Aug 13 13:31:26 2012


** ld 0x7f8c14016f00 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7f8c14016f00 request count 1 (abandoned 0)
** ld 0x7f8c14016f00 Response Queue:
   Empty
  ld 0x7f8c14016f00 response count 0
ldap_chkResponseList ld 0x7f8c14016f00 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f8c14016f00 NULL
ldap_int_select
read1msg: ld 0x7f8c14016f00 msgid 1 all 1
read1msg: ld 0x7f8c14016f00 msgid 1 message type bind
read1msg: ld 0x7f8c14016f00 0 new referrals
read1msg:  mark request completed, ld 0x7f8c14016f00 msgid 1
request done: ld 0x7f8c14016f00 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_search_ext
put_filter: "(&(objectClass=posixAccount)(uid=cochran))"
put_filter: AND
put_filter_list "(objectClass=posixAccount)(uid=cochran)"
put_filter: "(objectClass=posixAccount)"
put_filter: simple
put_simple_filter: "objectClass=posixAccount"
put_filter: "(uid=cochran)"
put_filter: simple
put_simple_filter: "uid=cochran"
ldap_build_search_req ATTRS: userPassword cn gidNumber uidNumber loginShell objectClass gecos uid homeDirectory
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x7f8c14016f00 msgid 2
wait4msg ld 0x7f8c14016f00 msgid 2 (timeout 10000000 usec)
wait4msg continue ld 0x7f8c14016f00 msgid 2 all 0
** ld 0x7f8c14016f00 Connections:
* host: delta.labs.encs  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Mon Aug 13 13:31:26 2012


** ld 0x7f8c14016f00 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7f8c14016f00 request count 1 (abandoned 0)
** ld 0x7f8c14016f00 Response Queue:
   Empty
  ld 0x7f8c14016f00 response count 0
ldap_chkResponseList ld 0x7f8c14016f00 msgid 2 all 0
ldap_chkResponseList returns ld 0x7f8c14016f00 NULL
ldap_int_select
read1msg: ld 0x7f8c14016f00 msgid 2 all 0
read1msg: ld 0x7f8c14016f00 msgid 2 message type search-entry
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_get_values
ldap_msgfree
ldap_result ld 0x7f8c14016f00 msgid 2
wait4msg ld 0x7f8c14016f00 msgid 2 (timeout 10000000 usec)
wait4msg continue ld 0x7f8c14016f00 msgid 2 all 0
** ld 0x7f8c14016f00 Connections:
* host: delta.labs.encs  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Mon Aug 13 13:31:26 2012


** ld 0x7f8c14016f00 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7f8c14016f00 request count 1 (abandoned 0)
** ld 0x7f8c14016f00 Response Queue:
   Empty
  ld 0x7f8c14016f00 response count 0
ldap_chkResponseList ld 0x7f8c14016f00 msgid 2 all 0
ldap_chkResponseList returns ld 0x7f8c14016f00 NULL
ldap_int_select
read1msg: ld 0x7f8c14016f00 msgid 2 all 0
read1msg: ld 0x7f8c14016f00 msgid 2 message type search-result
read1msg: ld 0x7f8c14016f00 0 new referrals
read1msg:  mark request completed, ld 0x7f8c14016f00 msgid 2
request done: ld 0x7f8c14016f00 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ldap_msgfree
nslcd: [9cf92e] DEBUG: ldap_result(): end of results

---------------------------------------- end ---------------------------------------------------
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/