pam_sss access denied with kerberos authentication ok
I think you're mixing up authentication and authorization. As you can see from the logs, the authentication phase succeeds (meaning that the credentials were successfully verified)...
Jul 19 14:30:39 virtualBox gdm-password]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=alice
...but the authorization phase fails (meaning that the user is not allowed to use the service, regardless of credentials):
Jul 19 14:30:39 virtualBox gdm-password]: pam_sss(gdm-password:account): Access denied for user alice: 6 (Autorisation refusée)
Since this message was shown by pam_sss itself, it's related to the SSSD settings. You have configured ldap
as the access (authorization) provider:
[domain/STAGENFS.FR] access_provider = ldap
This means that access rights are controlled by the ldap_access_order
setting. You don't have it, but its default value is filter
(according to the sssd-ldap(5) manual).
"Filter" means that access checks are done by using the ldap_access_filter
setting to query the LDAP server. You don't have this setting either, and it has no default value – it is mandatory if you want to use the "filter" mode.
You need to specify the correct authorization rules – either decide on a filter that you want to apply, or change the ldap_access_order
setting (or even the access_provider
) to something else.
Related videos on Youtube
Charles
Updated on September 18, 2022Comments
-
Charles over 1 year
I'm trying to use sssd with kerberos authentication and ldap on Ubuntu 18.04 (server and client machine). On Ubuntu client side I installed
sssd sssd-tools
packages. But when I want to log in to alice, a user of my ldap, I can't. I can see that the server delivers the ticket (in server kerberos' logs) and the client recieves the ticket in the cache. Mkhomedir is well present in /etc/pam.d/commom-session.I found that mkhomedir should be enable so I ran
pam-auth-update --package mkhomedir
but nothing changed.The auth.log says that:
Jul 19 14:30:12 virtualBox gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=alice Jul 19 14:30:13 virtualBox gdm-password]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=alice Jul 19 14:30:13 virtualBox gdm-password]: pam_sss(gdm-password:account): Access denied for user alice: 6 (Autorisation refusée) Jul 19 14:30:32 virtualBox gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=alice Jul 19 14:30:32 virtualBox gdm-password]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=alice Jul 19 14:30:32 virtualBox gdm-password]: pam_sss(gdm-password:auth): received for user alice: 17 (Échec lors de la définition des informations d'identification de l'utilisateur) Jul 19 14:30:39 virtualBox gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=alice Jul 19 14:30:39 virtualBox gdm-password]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=alice Jul 19 14:30:39 virtualBox gdm-password]: pam_sss(gdm-password:account): Access denied for user alice: 6 (Autorisation refusée)`
The
getent passwd <ldap user>
works. I also added the to the krb5.keytab of the client.Here my configuration files.
sssd.conf file:
[sssd] debug_level = 0xFFF0 config_file_version = 2 services = nss,pam domains = STAGENFS.FR [nss] debug_level = 0xFFF0 filter_users = root filter_groups = root [pam] debug_level = 0xFFF0 offline_credentials_expiration = 1 [domain/STAGENFS.FR] debug_level = 0xFFF0 ldap_schema = rfc2307 ldap_search_base = ou=tl id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap ldap_uri = ldaps://ldap02.stagenfs.fr ldap_referrals = False ldap_id_use_start_tls = False cache_credentials = True account_cache_expiration = 1 enumerate = True ldap_default_bind_dn = cn=proxyuser,ou=private,ou=tl ldap_default_authtok_type = password ldap_default_authtok = ProxyUser123# ldap_tls_cacert = /etc/ssl/certs/cacert.pem krb5_realm = STAGENFS.FR krb5_canonicalize = False krb5_server = kdc.stagenfs.fr krb5_kpasswd = kdc.stagenfs.fr krb5_ccachedir = /cache
nsswitch file:
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat systemd sss group: compat systemd sss shadow: compat sss gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files sss
I have pam_sss.so in pam.d files:
# /etc/pam.d/common-account account [default=bad success=ok user_unknown=ignore] pam_sss.so # /etc/pam.d/common-auth auth [success=1 default=ignore] pam_sss.so use_first_pass # /etc/pam.d/common-password password sufficient pam_sss.so use_authtok # /etc/pam.d/common-session session required pam_mkhomedir.so skel=/etc/skel/ session optional pam_sss.so
Do you know if sssd need libpam_krb5.so ? If you have any idea, or if you need more informations, don't hesitate ! Thank you.
-
Charles almost 6 yearsThank you, it worked. I added
ldap_access_order = filter
and a filter:ldap_access_filter = &(objectClass=posixAccount) (uidNumber=*)
in the sssd.conf file and I managed to log in to ldap user account