pam_sss access denied with kerberos authentication ok

authentication ldap pam kerberos

8,048

I think you're mixing up authentication and authorization. As you can see from the logs, the authentication phase succeeds (meaning that the credentials were successfully verified)...

Jul 19 14:30:39 virtualBox gdm-password]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=alice

...but the authorization phase fails (meaning that the user is not allowed to use the service, regardless of credentials):

Jul 19 14:30:39 virtualBox gdm-password]: pam_sss(gdm-password:account): Access denied for user alice: 6 (Autorisation refusée)

Since this message was shown by pam_sss itself, it's related to the SSSD settings. You have configured ldap as the access (authorization) provider:

[domain/STAGENFS.FR]
access_provider = ldap

This means that access rights are controlled by the ldap_access_order setting. You don't have it, but its default value is filter (according to the sssd-ldap(5) manual).

"Filter" means that access checks are done by using the ldap_access_filter setting to query the LDAP server. You don't have this setting either, and it has no default value – it is mandatory if you want to use the "filter" mode.

You need to specify the correct authorization rules – either decide on a filter that you want to apply, or change the ldap_access_order setting (or even the access_provider) to something else.

8,048

Charles

Updated on September 18, 2022

Comments

Charles over 1 year

I'm trying to use sssd with kerberos authentication and ldap on Ubuntu 18.04 (server and client machine). On Ubuntu client side I installed sssd sssd-tools packages. But when I want to log in to alice, a user of my ldap, I can't. I can see that the server delivers the ticket (in server kerberos' logs) and the client recieves the ticket in the cache. Mkhomedir is well present in /etc/pam.d/commom-session.

I found that mkhomedir should be enable so I ran pam-auth-update --package mkhomedir but nothing changed.

The auth.log says that:

Jul 19 14:30:12 virtualBox gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=alice
Jul 19 14:30:13 virtualBox gdm-password]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=alice
Jul 19 14:30:13 virtualBox gdm-password]: pam_sss(gdm-password:account): Access denied for user alice: 6 (Autorisation refusée)
Jul 19 14:30:32 virtualBox gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=alice
Jul 19 14:30:32 virtualBox gdm-password]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=alice
Jul 19 14:30:32 virtualBox gdm-password]: pam_sss(gdm-password:auth): received for user alice: 17 (Échec lors de la définition des informations d'identification de l'utilisateur)
Jul 19 14:30:39 virtualBox gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=alice
Jul 19 14:30:39 virtualBox gdm-password]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=alice
Jul 19 14:30:39 virtualBox gdm-password]: pam_sss(gdm-password:account): Access denied for user alice: 6 (Autorisation refusée)`

The getent passwd <ldap user> works. I also added the to the krb5.keytab of the client.

Here my configuration files.

sssd.conf file:

[sssd]
debug_level = 0xFFF0
config_file_version = 2
services = nss,pam
domains = STAGENFS.FR

[nss]
debug_level = 0xFFF0
filter_users = root
filter_groups = root

[pam]
debug_level = 0xFFF0
offline_credentials_expiration = 1

[domain/STAGENFS.FR]
debug_level = 0xFFF0
ldap_schema = rfc2307
ldap_search_base = ou=tl

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

ldap_uri = ldaps://ldap02.stagenfs.fr
ldap_referrals = False
ldap_id_use_start_tls = False
cache_credentials = True
account_cache_expiration = 1
enumerate = True
ldap_default_bind_dn = cn=proxyuser,ou=private,ou=tl
ldap_default_authtok_type = password
ldap_default_authtok = ProxyUser123#
ldap_tls_cacert = /etc/ssl/certs/cacert.pem

krb5_realm = STAGENFS.FR
krb5_canonicalize = False
krb5_server = kdc.stagenfs.fr
krb5_kpasswd = kdc.stagenfs.fr
krb5_ccachedir = /cache

nsswitch file:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat systemd sss
group:          compat systemd sss
shadow:         compat sss
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        files sss

I have pam_sss.so in pam.d files:

# /etc/pam.d/common-account
    account [default=bad success=ok user_unknown=ignore]    pam_sss.so

# /etc/pam.d/common-auth
    auth    [success=1 default=ignore]  pam_sss.so use_first_pass

# /etc/pam.d/common-password
    password    sufficient          pam_sss.so use_authtok

# /etc/pam.d/common-session
    session required    pam_mkhomedir.so skel=/etc/skel/
    session optional            pam_sss.so

Do you know if sssd need libpam_krb5.so ? If you have any idea, or if you need more informations, don't hesitate ! Thank you.

Charles almost 6 years

Thank you, it worked. I added ldap_access_order = filter and a filter: ldap_access_filter = &(objectClass=posixAccount) (uidNumber=*) in the sssd.conf file and I managed to log in to ldap user account