Fedora 21 pam_sss authentication failure - permission denied
I found the solution to the problem. By running sssd -i -d 4
and trying to log in on a different console, I saw that START TLS
was where the login failed. Apparently Red Hat and Fedora by default use TLS. The server does not have TLS (we don't have enough time right now). To disable TLS edit /etc/sysconfig/authconfig
on the client machine and update FORCELEGACY=no
to FORCELEGACY=yes
.
Credit to http://www.linuxquestions.org/questions/linux-enterprise-47/rhel-6-ldap-now-requires-tls-843917/
(Thank you Andy for trying to help!)
Related videos on Youtube
Joel May
Updated on September 18, 2022Comments
-
Joel May almost 2 years
We have configured a OpenLDAP server which is working fine. FreeBSD, Debian, and a WordPress plugin authenticate with no problems. We are configuring Fedora 21 with
pam_sss
, but we get the following error in/var/log/secure
:Mar 1 00:15:00 www sshd[1176]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=199.100.16.39 user={REDACTED} Mar 1 00:15:00 www sshd[1176]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=199.100.16.39 user={REDACTED} Mar 1 00:15:00 www sshd[1176]: pam_sss(sshd:auth): received for user {REDACTED}: 6 (Permission denied)
getent passwd {REDACTED}
returns{REDACTED}:*:1000:500:{REDACTED (full user name)}:/home/users/{REDACTED}:
The command I ran the configure the client is
authconfig --enableldap --enableldapauth --ldapserver='ldap://{REDACTED (IP)}:389/' --ldapbasedn='dc={REDACTED},dc={REDACTED},dc=com' --enablemkhomedir --enableshadow --update
We have searched online for information about this specific error (the combination of authentication failure and 6 (Permission denied)), but have not found any instances where it has been solved.
-
Andy over 9 yearsAuthconfig tries so hard to obfuscate a lot of disparate configs, and adds its own. Try instead of "--enableldap --enableldapauth" the unintuitive "--disableldap --disableldapauth --enablesssd --enablesssdauth" . Can you post your /etc/sssd/sssd.conf?
-