Package: sssd
Version: 1.2.1-4+squeeze1
Severity: normal
Tags: squeeze
I am trying to configure sssd to authenticate users against Active Directory.
The AD system is mixed W2k3 and W2k8 servers, currently using W2k3 functional
level. The config files are set up to connect to a W2k8 server, both on LDAP
and KRB5.
I have used pam-auth-update to generate the relevant pam.d files, with some
minor manual modifications (lowered the uid number for mklocaluser from
1000 to 500 due to existing user accounts with numbers in that range).
The sssd.conf file should be attached to this report (if not I will add it
manually later).
When a user logs in at a console, he is asked twice for the password. I put
sssd into debug mode (level 10 for both nss and pam) and the auth.log
shows the following:
Jul 8 12:12:13 it-000115 login[10853]: pam_sss(login:auth): system info: [KDC
has no support for encryption type]
Jul 8 12:12:13 it-000115 login[10853]: pam_sss(login:auth): authentication
failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost= user=wszachau
Jul 8 12:12:13 it-000115 login[10853]: pam_sss(login:auth): received for user
wszachau: 4 (System error)
Jul 8 12:12:16 it-000115 login[10853]: pam_unix(login:auth): authentication
failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost= user=wszachau
Jul 8 12:12:16 it-000115 login[10853]: pam_unix(login:session): session opened
for user wszachau by LOGIN(uid=0)
I have tried changing the password for the user, but the error does not go away.
The login succeeds because there is a cached entry. However, as soon as the
cache is disabled, login fails.
I have tried all sorts of combinations in the sssd.conf file, but to no avail.
When I change from KRB5 authentication to LDAP authentication (and in addition
use a system wide special user for the bind) then authentication succeeds, but
I suspect that password changes will fail, since this will not retrieve a
kerberos ticket.
Centralized user accounts and authentication are very important to us and I
would
prefer to use sssd for this (instead of a complicated LDAP/KRB5 config using
seprate providers). However in the current condition I cannot roll this out into
the company. Any help would be appreciated. If this is a configuration error,
any
pointers towards my error would be appreciated.
-- System Information:
Debian Release: 6.0.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages sssd depends on:
ii libc-ares2 1.7.3-1 library for asyncronous name resol
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-4stable1 common error description library
ii libdbus-1-3 1.2.24-4+squeeze1 simple interprocess messaging syst
ii libk5crypto3 1.8.3+dfsg-4squeeze1 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.8.3+dfsg-4squeeze1 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.23-7.2 OpenLDAP libraries
ii libldb0 1:0.9.10~git20100203-1+b1 LDAP-like embedded database - shar
ii libnspr4-0d 4.8.6-1 NetScape Portable Runtime Library
ii libnss3-1d 3.12.8-1+squeeze1 Network Security Service libraries
ii libpam0g 1.1.1-6.1 Pluggable Authentication Modules l
ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi
ii libpopt0 1.16-1 lib for parsing cmdline parameters
ii libselinux1 2.0.96-1 SELinux runtime shared libraries
ii libsemanage1 2.0.45-1 SELinux policy management library.
ii libtalloc2 2.0.1-1 hierarchical pool based memory all
ii libtdb1 1.2.1-2+b1 Trivial Database - shared library
ii libtevent0 0.9.8-1+b1 talloc-based event loop library -
ii python 2.6.6-3+squeeze6 interactive high-level object-orie
ii python-sss 1.2.1-4+squeeze1 Pam module for the System Security
Versions of packages sssd recommends:
ii bind9-host 1:9.7.3.dfsg-1~squeeze3 Version of 'host' bundled with BIN
ii ldap-utils 2.4.23-7.2 OpenLDAP utilities
Versions of packages sssd suggests:
ii libnss-sss 1.2.1-4+squeeze1 Nss library for the System Securit
ii libpam-sss 1.2.1-4+squeeze1 Pam module for the System Security
-- Configuration Files:
/etc/init.d/sssd changed:
DESCRIPTION="System Security Services Daemon"
PATH=/bin:/usr/bin:/sbin:/usr/sbin
NAME=sssd
OPTIONS="-D -f"
DAEMON_OPTS=""
DAEMON=/usr/sbin/$NAME
PIDFILE=/var/run/$NAME.pid
. /lib/init/vars.sh
. /lib/lsb/init-functions
if [ -x /etc/default/sssd ] ; then
. /etc/default/sssd
fi
initdmain() {
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESCRIPTION"
"$NAME"
start_daemon -p $PIDFILE $DAEMON $OPTIONS $DAEMON_OPTS
RC=$?
case "$RC" in
0)
[ "$VERBOSE" != no ] && log_end_msg $RC
;;
*)
# Report error also when VERBOSE=no
log_daemon_msg "Starting $DESCRIPTION" "$NAME"
log_end_msg $RC
;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESCRIPTION"
"$NAME"
killproc -p $PIDFILE $DAEMON
RC=$?
case "$RC" in
0)
[ "$VERBOSE" != no ] && log_end_msg $RC
;;
*)
# Report error also when VERBOSE=no
log_daemon_msg "Stopping $DESCRIPTION" "$NAME"
log_end_msg $RC
;;
esac
;;
force-reload|restart)
$0 stop
$0 start
;;
status)
status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $?
;;
*)
echo "Usage: /etc/init.d/$NAME
{start|stop|restart|force-reload|status}"
exit 1
;;
esac
}
initdmain $@
exit 0
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
