[Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode
Bobby Prins
bobby.prins at proxy.nl
Tue Mar 24 18:52:02 UTC 2015
> On Mar 24, 2015, at 18:42, Alexander Bokovoy <abokovoy at redhat.com> wrote:
>
> On Tue, 24 Mar 2015, Bobby Prins wrote:
>>>> The inability to login is reported in about the same time as the number of seconds you would find in the etime= field of the RESULT line.
>>>>
>>>> I checked the "Common AD provider issues" and "Troubleshooting authentication, password change and access control" sections on the SSSD Troubleshooting page. None of the issues reported there seem to be applicable in my situation.
>>>>
>>>> PAM logging on AIX:
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_start(login bprins at example.corp)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(1)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(2)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(5)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(3)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(4)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(8)
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_authenticate()
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: load_modules: /usr/lib/security/pam_aix
>>>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: load_function: successful load of pam_sm_authenticate
>>>> Mar 24 16:23:22 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(6)
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: pam_authenticate: error Authentication failed
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(6)
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: pam_acct_mgmt()
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: load_modules: /usr/lib/security/pam_aix
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: load_function: successful load of pam_sm_acct_mgmt
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: pam_acct_mgmt: error No account present for user
>>>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: pam_end(): status = Authentication failed
>>>> Mar 24 16:23:37 tst01 auth|security:info syslog: vty0: failed login attempt for UNKNOWN_USER
>>>>
>>>> Doing a ldapsearch with bprins at example.corp as bind user works without any problems.
>>> According to the log above you get failure from pam_aix which should be
>>> expected if pam_aix doesn't think that the user in question is coming
>>> from LDAP.
>>>
>>> Can you show output of
>>>
>>> lsuser -R LDAP bprins at example.corp
>>> lsuser -a registry SYSTEM bprins at example.corp
>>>
>>> The attributes 'registry' and 'SYSTEM' should be set to LDAP (or KRB5LDAP).
>>>
>>> Can you show how you configured the AIX client?
>>>
>>> --
>>> / Alexander Bokovoy
>>
>> lsuser -R LDAP bprins at example.corp:
>> bprins at example.corp id=211623277 pgrp=bprins at example.corp groups=bprins at example.corp home=/home/example.corp/bprins shell=/bin/bash gecos=Bobby Prins login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=LDAP logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= fsize=8388604 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
> I assume you have /bin/bash installed on AIX? This user has shell
> defined as /bin/bash and if it is missing, login or ssh will deny its
> access to the system.
Yes, bash is a valid shell on this machine and also in use by local and IPA users.
>
>>
>> lsuser -a registry SYSTEM bprins at example.corp:
>> bprins at example.corp registry=LDAP SYSTEM=LDAP
>>
>> Contents of /etc/security/ldap/ldap.cfg:
>> ldapservers:idm01.unix.example.corp
>> authtype:ldap_auth
>> useSSL:no
>> userattrmappath:/etc/security/ldap/IPAuser.map
>> groupattrmappath:/etc/security/ldap/IPAgroup.map
>> userbasedn:cn=users,cn=compat,dc=unix,dc=example,dc=corp
>> groupbasedn:cn=groups,cn=compat,dc=unix,dc=example,dc=corp
>> userclasses:posixaccount
>> groupclasses:posixgroup
>> ldapport:389
>> searchmode:ALL
>> defaultentrylocation:LDAP
>> serverschematype:rfc2307
>>
>> Map file /etc/security/ldap/IPAuser.map:
>> #IPAuser.map file
>> keyobjectclass SEC_CHAR posixaccount s
>>
>> # The following attributes are required by AIX to be functional
>> username SEC_CHAR uid s
>> id SEC_INT uidnumber s
>> pgrp SEC_CHAR gidnumber s
>> home SEC_CHAR homedirectory s
>> shell SEC_CHAR loginshell s
>> gecos SEC_CHAR gecos s
>> spassword SEC_CHAR userpassword s
>> lastupdate SEC_INT shadowlastchange s
>>
>> Map file /etc/security/ldap/IPAgroup.map:
>> #IPAgroup.map file
>> groupname SEC_CHAR cn s
>> id SEC_INT gidNumber s
>> users SEC_LIST member m
>>
>> With the current setup users created on the IPA server work, AD users not.
> The rest of configuration looks fine. Given that PAM debug output
> mentions pam_aix, can you show /etc/pam.conf and
> /etc/security/login.cfg. I suspect that you have auth_type=PAM_AUTH in
> /etc/security/login.cfg, that's why PAM authentication is in use and
> pam_aix should theoretically pick up LDAP via LAM mechanism.
> --
> / Alexander Bokovoy
Contents of pam.conf:
...
#
# Authentication
#
authexec auth required pam_aix
dtaction auth required pam_aix
dtsession auth required pam_aix
dtlogin auth required pam_aix
ftp auth required pam_aix
imap auth required pam_aix
login auth required pam_aix
rexec auth required pam_aix
rlogin auth sufficient pam_rhosts_auth
rlogin auth required pam_aix
rsh auth required pam_rhosts_auth
snapp auth required pam_aix
su auth sufficient pam_allowroot
su auth required pam_aix
swrole auth required pam_aix
telnet auth required pam_aix
xdm auth required pam_aix
sshd auth required pam_aix
OTHER auth required pam_prohibit
#
# Account Management
#
authexec account required pam_aix
dtlogin account required pam_aix
ftp account required pam_aix
login account required pam_aix
rexec account required pam_aix
rlogin account required pam_aix
rsh account required pam_aix
su account sufficient pam_allowroot
su account required pam_aix
swrole account required pam_aix
telnet account required pam_aix
xdm account required pam_aix
sshd account required pam_aix
OTHER account required pam_prohibit
#
# Password Management
#
authexec password required pam_aix
dtlogin password required pam_aix
login password required pam_aix
passwd password required pam_aix
rlogin password required pam_aix
su password required pam_aix
telnet password required pam_aix
xdm password required pam_aix
sshd password required pam_aix
OTHER password required pam_prohibit
#
# Session Management
#
dtlogin session required pam_aix
ftp session required pam_aix
imap session required pam_aix
login session required pam_aix
rexec session required pam_aix
rlogin session required pam_aix
rsh session required pam_aix
snapp session required pam_aix
su session required pam_aix
swrole session required pam_aix
telnet session required pam_aix
xdm session required pam_aix
sshd session required pam_aix
OTHER session required pam_prohibit
Contents of login.cfg:
…
usw:
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd,/bin/bash
maxlogins = 32767
logintimeout = 60
maxroles = 8
auth_type = PAM_AUTH
So you were correct about using PAM_AUTH. I’m thinking about logging a support case with IBM for this PAM behavior.
More information about the Freeipa-users
mailing list