>----- Oorspronkelijk bericht ----- >Van: "Alexander Bokovoy" <[email protected]> >Aan: "Bobby Prins" <[email protected]> >Cc: [email protected], [email protected] >Verzonden: Dinsdag 24 maart 2015 17:23:08 >Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >ipa_server_mode > >On Tue, 24 Mar 2015, Bobby Prins wrote: >>>----- Oorspronkelijk bericht ----- >>>Van: "Alexander Bokovoy" <[email protected]> >>>Aan: "Bobby Prins" <[email protected]> >>>Cc: [email protected], [email protected] >>>Verzonden: Dinsdag 24 maart 2015 15:13:38 >>>Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >>>ipa_server_mode >>> >>>On Tue, 24 Mar 2015, Bobby Prins wrote: >>>>>----- Oorspronkelijk bericht ----- >>>>>Van: "Alexander Bokovoy" <[email protected]> >>>>>Aan: "Bobby Prins" <[email protected]> >>>>>Cc: [email protected], [email protected] >>>>>Verzonden: Maandag 23 maart 2015 16:44:47 >>>>>Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >>>>>ipa_server_mode >>>>> >>>>>... >>>>> >>>>>Can you show relevant parts of /var/log/dirsrv/slapd-EXAMPLE-CORP/access >>>>>and sssd logs from IPA master (with debug_level = 10) at least in >>>>>[domain], [nss], and [pam] sections. >>>>> >>>>>You need to filter dirsrv logs by connection coming from AIX IP address >>>>>and then by conn=<number> where number is the same number as the one >>>>>with IP address line. >>>>> >>>>>When authenticating, AIX would talk to IPA LDAP server to compat tree >>>>>and slapi-nis plugin which serves compat tree would do PAM >>>>>authentication as service system-auth where SSSD on IPA master will do >>>>>the actual authentication work. >>>>> >>>>>-- >>>>>/ Alexander Bokovoy >>>> >>>>Here you can see the DS connection from AIX: >>>>[24/Mar/2015:12:53:19 +0100] conn=96 fd=110 slot=110 connection from >>>>192.168.140.107 to 192.168.140.133 >>>>[24/Mar/2015:12:53:20 +0100] conn=96 op=0 BIND >>>>dn="[email protected],cn=users,cn=compat,dc=unix,dc=example,dc=corp" >>>>method=128 version=3 >>>>[24/Mar/2015:12:53:43 +0100] conn=96 op=0 RESULT err=0 tag=97 nentries=0 >>>>etime=24 >>>>dn="[email protected],cn=users,cn=compat,dc=unix,dc=example,dc=corp" >>>>[24/Mar/2015:12:53:43 +0100] conn=96 op=-1 fd=110 closed - B1 >>>> >>>>As you can see it also takes quite some time to process the login. >>>>Could that be a problem? >>>24 seconds sounds like bprins2example.com is a member of few groups with >>>big amount of members. On the other hand, BIND operation result is 0 >>>(success) and it doesn't look like AIX dropped the connection, at least >>>there is no ABANDON within the context of this connection so AIX did not >>>cancel the request by itself. >>> >>>How long does it take on AIX side to report the inability to login? Is >>>this time longer or shorter the one reported in etime= value on RESULT >>>line above? >>> >>>>The SSSD log files are a bit large with debug_level set to 10 and it >>>>will take me some time to strip all customer data from it. Any log >>>>events in particular you would like to see? >>>https://fedorahosted.org/sssd/wiki/Troubleshooting has explanation for >>>some times of issues you might find in the SSSD logs. I'd be interested >>>in "Common AD provider issues", "Troubleshooting authentication, >>>password change and access control". >>> >>>-- >>>/ Alexander Bokovoy >> >>The inability to login is reported in about the same time as the number of >>seconds you would find in the etime= field of the RESULT line. >> >>I checked the "Common AD provider issues" and "Troubleshooting >>authentication, password change and access control" sections on the SSSD >>Troubleshooting page. None of the issues reported there seem to be applicable >>in my situation. >> >>PAM logging on AIX: >>Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: >>pam_start(login [email protected]) >>Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(1) >>Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(2) >>Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(5) >>Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(3) >>Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(4) >>Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(8) >>Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: >>pam_authenticate() >>Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: load_modules: >>/usr/lib/security/pam_aix >>Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: load_function: >>successful load of pam_sm_authenticate >>Mar 24 16:23:22 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(6) >>Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: >>pam_authenticate: error Authentication failed >>Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(6) >>Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: pam_acct_mgmt() >>Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: load_modules: >>/usr/lib/security/pam_aix >>Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: load_function: >>successful load of pam_sm_acct_mgmt >>Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: pam_acct_mgmt: >>error No account present for user >>Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: pam_end(): >>status = Authentication failed >>Mar 24 16:23:37 tst01 auth|security:info syslog: vty0: failed login attempt >>for UNKNOWN_USER >> >>Doing a ldapsearch with [email protected] as bind user works without any >>problems. >According to the log above you get failure from pam_aix which should be >expected if pam_aix doesn't think that the user in question is coming >from LDAP. > >Can you show output of > >lsuser -R LDAP [email protected] >lsuser -a registry SYSTEM [email protected] > >The attributes 'registry' and 'SYSTEM' should be set to LDAP (or KRB5LDAP). > >Can you show how you configured the AIX client? > >-- >/ Alexander Bokovoy
lsuser -R LDAP [email protected]: [email protected] id=211623277 [email protected] [email protected] home=/home/example.corp/bprins shell=/bin/bash gecos=Bobby Prins login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=LDAP logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= fsize=8388604 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles= lsuser -a registry SYSTEM [email protected]: [email protected] registry=LDAP SYSTEM=LDAP Contents of /etc/security/ldap/ldap.cfg: ldapservers:idm01.unix.example.corp authtype:ldap_auth useSSL:no userattrmappath:/etc/security/ldap/IPAuser.map groupattrmappath:/etc/security/ldap/IPAgroup.map userbasedn:cn=users,cn=compat,dc=unix,dc=example,dc=corp groupbasedn:cn=groups,cn=compat,dc=unix,dc=example,dc=corp userclasses:posixaccount groupclasses:posixgroup ldapport:389 searchmode:ALL defaultentrylocation:LDAP serverschematype:rfc2307 Map file /etc/security/ldap/IPAuser.map: #IPAuser.map file keyobjectclass SEC_CHAR posixaccount s # The following attributes are required by AIX to be functional username SEC_CHAR uid s id SEC_INT uidnumber s pgrp SEC_CHAR gidnumber s home SEC_CHAR homedirectory s shell SEC_CHAR loginshell s gecos SEC_CHAR gecos s spassword SEC_CHAR userpassword s lastupdate SEC_INT shadowlastchange s Map file /etc/security/ldap/IPAgroup.map: #IPAgroup.map file groupname SEC_CHAR cn s id SEC_INT gidNumber s users SEC_LIST member m With the current setup users created on the IPA server work, AD users not. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
