Re: sssd/pam/pam_check_user_search throwing 'No matching domain for [user], fail!'

[Jakub Hrozek <jhrozek [at] redhat.com>]

On Mon, Aug 13, 2012 at 09:59:14PM +0000, Lang, Dick wrote:
> Hello,
> 
> I have a large number of CentOS 6.3 clients attempting to authenticate via 
> user accounts on an OSX (Lion) server running OpenDirectory/OpenLDAP.
> 
> My CentOS clients are fully updated, running 
> nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64.  This nss-pam-ldapd package was 
> apparently installed as an update in my systems on June 19th.
> 
> At one point, in the recent past, authentication on these systems worked 
> fine.  The users for which it worked, are all cached and sssd still permits 
> them to login in.  However, something changed (probably my configuration, or 
> possibly the update) and now only the cached users can authenticate.  I 
> should mention that numerous OSX clients and Windows 7 clients (with PGINA 
> 2.1) are able to authenticate from the same OpenDirectory server.  While I 
> don't rule it out, it seems unlikely that the server is at fault.
> 
> Below I have listed the contents of what I hope are the necessary log files 
> and configuration files…  But here is my description of what is happening, as 
> far as I seem to be able to go.  (If there are means of getting more 
> information, I would like to know…).
> 
> As best I can tell, the authentication fails in pam when it displays the 
> following message when user "cochran" attempts to login with ssh:
> 
> (Mon Aug 13 13:31:26 2012) [sssd[pam]] [pam_check_user_search] (0x0100): 
> Requesting info for [cochran@default]
> (Mon Aug 13 13:31:26 2012) [sssd[pam]] [ldb] (0x4000): tevent: Added timed 
> event "ltdb_callback": 0x15b8510
> (Mon Aug 13 13:31:26 2012) [sssd[pam]] [ldb] (0x4000): tevent: Added timed 
> event "ltdb_timeout": 0x15b8630
> (Mon Aug 13 13:31:26 2012) [sssd[pam]] [ldb] (0x4000): tevent: Destroying 
> timer event 0x15b8630 "ltdb_timeout"
> (Mon Aug 13 13:31:26 2012) [sssd[pam]] [ldb] (0x4000): tevent: Ending timer 
> event 0x15b8510 "ltdb_callback"
> (Mon Aug 13 13:31:26 2012) [sssd[pam]] [pam_check_user_search] (0x0040): No 
> matching domain found for [cochran], fail!
> 

pam_sss wasn't able to find the user cochran. Please note that pam_sss
doesn't perform a full getpwnam()/getpwuid() lookup through the whole
NSS stack. It rather performs a lookup just inside the sssd. I'm not
sure from the top of my head if the lookup works if you don't use SSSD
for the user lookups as well, but I think it should.

> In this case, "cochran" is a legitimate user account present on the LDAP 
> server (domain "default" in sssd.conf).
> 
> nslcd appears to be able to perform successful LDAP searches as evidenced by:
> 
> [root@ecs325-10 sssd]# getent passwd cochran
> cochran:x:10001:10199:Wayne 
> Cochran:/Network/Servers/delta.labs.encs/Volumes/Files/users/cochran:/bin/bash
> [root@ecs325-10 sssd]# getent shadow cochran
> cochran:*:::::::0
> 

These user lookups all come from the nss_ldap module. Can you also check
if the SSSD is able to look up users? Provided that the sssd-client
package is installed, you can directly query the nss_sss module:

$ getent passwd -s sss cochran

In general, I would strongly advice against using nss-pam-ldapd for user
lookups and sssd's pam_sss for authentication. I think that picking one
or the other would put you in a much better supportable situation. At
the very least, the SSSD team never tests this kind of setup.
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/