hello all,
I've been tasked to provide AD account auth for some applications and AD integration using kerberos/realmd should not be done, so I have set up sssd with ldap integration on a fresh installed 24.04 server. Sssd connects to the AD and user id lookups work fine (ie getent passwd <AD user>) but any authentication attemps fail with error "su: Authentication failure".
I've put on full debug logs in sssd, nss, pam and domain sections, but nothing more specific then this is logged:
Code:
(2024-08-26 12:05:27): [pam] [pam_dp_send_req] (0x0100): [CID#1] Sending request with the following data:
(2024-08-26 12:05:27): [pam] [pam_print_data] (0x0100): [CID#1] command: SSS_PAM_AUTHENTICATE
(2024-08-26 12:05:27): [pam] [pam_print_data] (0x0100): [CID#1] domain: domain
(2024-08-26 12:05:27): [pam] [pam_print_data] (0x0100): [CID#1] user: USER@domain
(2024-08-26 12:05:27): [pam] [pam_print_data] (0x0100): [CID#1] service: sshd
(2024-08-26 12:05:27): [pam] [pam_print_data] (0x0100): [CID#1] tty: ssh
(2024-08-26 12:05:27): [pam] [pam_print_data] (0x0100): [CID#1] ruser: not set
(2024-08-26 12:05:27): [pam] [pam_print_data] (0x0100): [CID#1] rhost: 1.2.3.4
(2024-08-26 12:05:27): [pam] [pam_print_data] (0x0100): [CID#1] authtok type: 1 (Password)
(2024-08-26 12:05:27): [pam] [pam_print_data] (0x0100): [CID#1] newauthtok type: 0 (No authentication token available)
(2024-08-26 12:05:27): [pam] [pam_print_data] (0x0100): [CID#1] priv: 1
(2024-08-26 12:05:27): [pam] [pam_print_data] (0x0100): [CID#1] cli_pid: 4729
(2024-08-26 12:05:27): [pam] [pam_print_data] (0x0100): [CID#1] child_pid: 0
(2024-08-26 12:05:27): [pam] [pam_print_data] (0x0100): [CID#1] logon name: USER
(2024-08-26 12:05:27): [pam] [pam_print_data] (0x0100): [CID#1] flags: 1
(2024-08-26 12:05:27): [pam] [pam_dom_forwarder] (0x0100): [CID#1] pam_dp_send_req returned 0
(2024-08-26 12:05:27): [pam] [sbus_dispatch] (0x4000): Dispatching.
(2024-08-26 12:05:27): [pam] [pam_dp_send_req_done] (0x0200): [CID#1] received: [9 (Authentication service cannot retrieve authentication info)][domain]
(2024-08-26 12:05:27): [pam] [pam_reply] (0x4000): [CID#1] pam_reply initially called with result [9]: Authentication service cannot retrieve authentication info. this result might be changed during processing
(2024-08-26 12:05:27): [pam] [pam_reply] (0x0400): [CID#1] Local auth policy allowed: smartcard [False], passkey [False]
(2024-08-26 12:05:27): [pam] [filter_responses] (0x0100): [CID#1] PAM response filter: [ENV:KRB5CCNAME:sudo].
(2024-08-26 12:05:27): [pam] [filter_responses] (0x0100): [CID#1] PAM response filter: [ENV:KRB5CCNAME:sudo-i].
(2024-08-26 12:05:27): [pam] [pam_reply] (0x0200): [CID#1] blen: 33
(2024-08-26 12:05:27): [pam] [pam_reply] (0x0200): [CID#1] Returning [9]: Authentication service cannot retrieve authentication info to the client
(2024-08-26 12:05:27): [be[domain]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(2024-08-26 12:05:27): [be[domain]] [pam_print_data] (0x0100): domain: domain
(2024-08-26 12:05:27): [be[domain]] [pam_print_data] (0x0100): user: USER@domain
(2024-08-26 12:05:27): [be[domain]] [pam_print_data] (0x0100): service: sshd
(2024-08-26 12:05:27): [be[domain]] [pam_print_data] (0x0100): tty: ssh
(2024-08-26 12:05:27): [be[domain]] [pam_print_data] (0x0100): ruser:
(2024-08-2612:05:27): [be[domain]] [pam_print_data] (0x0100): rhost: 1.2.3.4
(2024-08-26 12:05:27): [be[domain]] [pam_print_data] (0x0100): authtok type: 1 (Password)
(2024-08-26 12:05:27): [be[domain]] [pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available)
(2024-08-26 12:05:27): [be[domain]] [pam_print_data] (0x0100): priv: 1
(2024-08-26 12:05:27): [be[domain]] [pam_print_data] (0x0100): cli_pid: 4729
(2024-08-26 12:05:27): [be[domain]] [pam_print_data] (0x0100): child_pid: 0
(2024-08-26 12:05:27): [be[domain]] [pam_print_data] (0x0100): logon name: not set
(2024-08-26 12:05:27): [be[domain]] [pam_print_data] (0x0100): flags: 0
(2024-08-26 12:05:27): [be[domain]] [dp_attach_req] (0x0400): [RID#4] DP Request [PAM Authenticate #4]: REQ_TRACE: New request. [sssd.pam CID #1] Flags [0000].
(2024-08-26 12:05:27): [be[domain]] [dp_attach_req] (0x0400): [RID#4] [CID #1] Backend is offline! Using cached data if available
(2024-08-26 12:05:27): [be[domain]] [dp_attach_req] (0x0400): [RID#4] Number of active DP request: 1
(2024-08-26 12:05:27): [be[domain]] [sss_domain_get_state] (0x1000): [RID#4] Domain domain is Active
(2024-08-26 12:05:27): [be[domain]] [find_password_expiration_attributes] (0x4000): [RID#4] No password policy requested.
(2024-08-26 12:05:27): [be[domain]] [fo_resolve_service_send] (0x0100): [RID#4] Trying to resolve service 'LDAP'
(2024-08-26 12:05:27): [be[domain]] [get_server_status] (0x1000): [RID#4] Status of server 'domain-controller' is 'name resolved'
(2024-08-26 12:05:27): [be[domain]] [get_port_status] (0x1000): [RID#4] Port status of port 389 for server 'domain-controller' is 'not working'
(2024-08-26 12:05:27): [be[domain]] [get_port_status] (0x0080): [RID#4] SSSD is unable to complete the full connection request, this internal status does not necessarily indicate network port issues.
(2024-08-26 12:05:27): [be[domain]] [fo_resolve_service_send] (0x0020): [RID#4] No available servers for service 'LDAP'
(2024-08-26 12:05:27): [be[domain]] [be_resolve_server_done] (0x1000): [RID#4] Server [NULL] resolution failed: [5]: Input/output error
sssd.conf:
Code:
[sssd]
config_file_version = 2
services = nss,pam
domains = DOMAIN
[nss]
fallback_homedir = /home/%u
default_shell = /bin/bash
[pam]
[domain/DOMAIN]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://domain-controller
ldap_search_base = DOMAIN
ldap_default_bind_dn = cn=ACCOUNT,dc=DOMAIN
ldap_default_authtok_type = password
ldap_default_authtok = supersecret
ldap_user_object_class = person
ldap_group_object_class = group
ldap_schema = ad
ldap_referrals = False
ldap_id_mapping = True
use_fully_qualified_names = false
enumerate = false
cache_credentials = false
ldap_id_use_start_tls = False
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
having had challenges with sssd before in 24.04 I have spun up a 20.04 machine and copied sssd conf over to it. Here everything works. Next I did the same with a 22.04 server and here it works as well.
Having checked that I have performed a release upgrade of the 22.04 server to 24.04 and now ldap auth also works through sssd.
I have compared sssd default and systemd service files for the upgraded and installed servers and I find no difference.
another curious observation I made is when I started trying to start sssd manually with strace to see if that brought some light into this. Nothing logged to strace, but I found that when sssd is started manually on the fresh installed 24.04 server then ldap auth works as well.
So there is something done different during systemd startup compared to manual start that stops proper ldap authentication but not other user info lookup.
My though is this is some security constraint introduced with 24.04 that is not activated when upgrading from 22.04 to 24.04 and only comes into effect when starting sssd through systemd but I don't really know where to start troubleshooting this, so any help is appreciated.
best regards
Mirco
