Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

Tue, 24 Mar 2015 10:47:02 -0700 

On Tue, 24 Mar 2015, Bobby Prins wrote:

The inability to login is reported in about the same time as the number of 
seconds you would find in the etime= field of the RESULT line.

I checked the "Common AD provider issues" and "Troubleshooting authentication, 
password change and access control" sections on the SSSD Troubleshooting page. None of the 
issues reported there seem to be applicable in my situation.

PAM logging on AIX:
Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_start(login 
[email protected])
Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(1)
Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(2)
Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(5)
Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(3)
Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(4)
Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(8)
Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
pam_authenticate()
Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: load_modules: 
/usr/lib/security/pam_aix
Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: load_function: 
successful load of pam_sm_authenticate
Mar 24 16:23:22 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(6)
Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: 
pam_authenticate: error Authentication failed
Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: pam_set_item(6)
Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: pam_acct_mgmt()
Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: load_modules: 
/usr/lib/security/pam_aix
Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: load_function: 
successful load of pam_sm_acct_mgmt
Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: pam_acct_mgmt: 
error No account present for user
Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: pam_end(): 
status = Authentication failed
Mar 24 16:23:37 tst01 auth|security:info syslog: vty0: failed login attempt for 
UNKNOWN_USER

Doing a ldapsearch with [email protected] as bind user works without any 
problems.

According to the log above you get failure from pam_aix which should be
expected if pam_aix doesn't think that the user in question is coming
from LDAP.

Can you show output of

lsuser -R LDAP [email protected]
lsuser -a registry SYSTEM [email protected]

The attributes 'registry' and 'SYSTEM' should be set to LDAP (or KRB5LDAP).

Can you show how you configured the AIX client?

--
/ Alexander Bokovoy


lsuser -R LDAP [email protected]:
[email protected] id=211623277 [email protected] 
[email protected] home=/home/example.corp/bprins shell=/bin/bash 
gecos=Bobby Prins login=true su=true rlogin=true daemon=true admin=false 
sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE 
umask=22 registry=LDAP SYSTEM=LDAP logintimes= loginretries=0 pwdwarntime=0 
account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minloweralpha=0 
minupperalpha=0 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 
minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= 
fsize=8388604 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 
nofiles=2000 roles=

I assume you have /bin/bash installed on AIX? This user has shell
defined as /bin/bash and if it is missing, login or ssh will deny its
access to the system.



lsuser -a registry SYSTEM [email protected]:
[email protected] registry=LDAP SYSTEM=LDAP

Contents of /etc/security/ldap/ldap.cfg:
ldapservers:idm01.unix.example.corp
authtype:ldap_auth
useSSL:no
userattrmappath:/etc/security/ldap/IPAuser.map
groupattrmappath:/etc/security/ldap/IPAgroup.map
userbasedn:cn=users,cn=compat,dc=unix,dc=example,dc=corp
groupbasedn:cn=groups,cn=compat,dc=unix,dc=example,dc=corp
userclasses:posixaccount
groupclasses:posixgroup
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP
serverschematype:rfc2307

Map file /etc/security/ldap/IPAuser.map:
#IPAuser.map file
keyobjectclass  SEC_CHAR        posixaccount            s

# The following attributes are required by AIX to be functional
username        SEC_CHAR        uid                     s
id              SEC_INT         uidnumber               s
pgrp            SEC_CHAR        gidnumber               s
home            SEC_CHAR        homedirectory           s
shell           SEC_CHAR        loginshell              s
gecos           SEC_CHAR        gecos                   s
spassword       SEC_CHAR        userpassword            s
lastupdate      SEC_INT         shadowlastchange        s

Map file /etc/security/ldap/IPAgroup.map:
#IPAgroup.map file
groupname       SEC_CHAR    cn                    s
id              SEC_INT     gidNumber             s
users           SEC_LIST    member                m

With the current setup users created on the IPA server work, AD users not.

The rest of configuration looks fine. Given that PAM debug output
mentions pam_aix, can you show /etc/pam.conf and
/etc/security/login.cfg. I suspect that you have auth_type=PAM_AUTH in
/etc/security/login.cfg, that's why PAM authentication is in use and
pam_aix should theoretically pick up LDAP via LAM mechanism.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to