[Freeipa-users] Password failing for sudo-ldap authentication only from one host

David Sastre d.sastre.medina at gmail.com
Thu Sep 27 08:53:06 UTC 2012


On Thu, Sep 27, 2012 at 10:01 AM, Jakub Hrozek wrote:

> On Thu, Sep 27, 2012 at 08:18:21AM +0200, David Sastre wrote:
> > On Wed, Sep 26, 2012 at 11:08 PM, David Sastre Medina wrote:
> > > On Wed, Sep 26, 2012 at 03:06:40PM -0400, Rob Crittenden wrote:
> > > > David Sastre wrote:
> > > > > [big snip]
> > > > Does sssd work on this machine otherwise? getent passwd <foo>, you
> > > > can log into the console as the user, or perhaps kinit to the user?
> > >
> > It looks like sssd is operating correctly
> > I can also kinit w/o problems:
>
> kinit bypasses the SSSD and talks to the KDC directly.
>  ...however, the ssh should go through the SSSD...
>
> Can you check the messages that appear in /var/log/secure during the
> sudo auth attempt? You should see pam_sss being contacted, what does it
> say? Is there any error?
>

Jakub,

Does your comment mean ssh/sshd is misbehaving or bad configured?

There are, indeed, errors regarding pam_sss in /var/log/secure.

This is a successful login+sudo+logout in a host:

Sep 27 10:29:56 panoramix sshd[12913]: Authorized to dsastrem, krb5
principal dsastrem at SOME.DOMAIN.COM (krb5_kuserok)
Sep 27 10:29:56 panoramix sshd[12913]: Accepted gssapi-with-mic for
dsastrem from 172.26.130.101 port 58678 ssh2
Sep 27 10:29:56 panoramix sshd[12913]: pam_unix(sshd:session): session
opened for user dsastrem by (uid=0)
Sep 27 10:30:13 panoramix sudo: pam_unix(sudo:auth): authentication
failure; logname=dsastrem uid=0 euid=0 tty=/dev/pts/2 ruser=dsastrem
rhost=  user=dsastrem
Sep 27 10:30:13 panoramix sudo: pam_sss(sudo:auth): authentication success;
logname=dsastrem uid=0 euid=0 tty=/dev/pts/2 ruser=dsastrem rhost=
user=dsastrem
Sep 27 10:30:13 panoramix sudo: dsastrem : TTY=pts/2 ; PWD=/home/dsastrem ;
USER=root ; COMMAND=/sbin/ip addr show
Sep 27 10:30:32 panoramix sshd[12942]: Received disconnect from
172.26.130.101: 11: disconnected by user
Sep 27 10:30:32 panoramix sshd[12913]: pam_unix(sshd:session): session
closed for user dsastrem

This one a failed attempt to do the same in another host:

Sep 27 10:32:27 obelix sshd[5242]: Authorized to dsastrem, krb5 principal
dsastrem at SOME.DOMAIN.COM (krb5_kuserok)
Sep 27 10:32:27 obelix sshd[5242]: Accepted gssapi-with-mic for dsastrem
from 172.26.130.101 port 38276 ssh2
Sep 27 10:32:27 obelix sshd[5242]: pam_unix(sshd:session): session opened
for user dsastrem by (uid=0)
Sep 27 10:32:50 obelix sudo: pam_unix(sudo:auth): authentication failure;
logname=dsastrem uid=0 euid=0 tty=/dev/pts/1 ruser=dsastrem rhost=
user=dsastrem
Sep 27 10:32:50 obelix sudo: pam_sss(sudo:auth): system info: [Permission
denied]
Sep 27 10:32:50 obelix sudo: pam_sss(sudo:auth): authentication failure;
logname=dsastrem uid=0 euid=0 tty=/dev/pts/1 ruser=dsastrem rhost=
user=dsastrem
Sep 27 10:32:50 obelix sudo: pam_sss(sudo:auth): received for user
dsastrem: 4 (System error)
Sep 27 10:33:13 obelix sudo: pam_unix(sudo:auth): conversation failed
Sep 27 10:33:13 obelix sudo: pam_unix(sudo:auth): auth could not identify
password for [dsastrem]
Sep 27 10:33:13 obelix sudo: pam_sss(sudo:auth): system info: [Cannot read
password]
Sep 27 10:33:13 obelix sudo: pam_sss(sudo:auth): authentication failure;
logname=dsastrem uid=0 euid=0 tty=/dev/pts/1 ruser=dsastrem rhost=
user=dsastrem
Sep 27 10:33:13 obelix sudo: pam_sss(sudo:auth): received for user
dsastrem: 4 (System error)
Sep 27 10:33:13 obelix sudo: dsastrem : 1 incorrect password attempt ;
TTY=pts/1 ; PWD=/home/dsastrem ; USER=root ; COMMAND=/sbin/ip addr show
Sep 27 10:33:21 obelix sshd[5281]: Received disconnect from 172.26.130.101:
11: disconnected by user
Sep 27 10:33:21 obelix sshd[5242]: pam_unix(sshd:session): session closed
for user dsastrem

I can see now where it is failing, but I can't understand why (yet), is
this PAM related?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120927/ac987f75/attachment.htm>


More information about the Freeipa-users mailing list