#1097 Login as local (PAM) user does not work for ftpd when sssd is configured with LDAP-backend
Closed: Invalid None Opened 9 years ago by sgallagh.

https://bugzilla.redhat.com/show_bug.cgi?id=754170

Description of problem:
Login as local (PAM) user does not work when sssd is configured with
LDAP-backend

Version-Release number of selected component (if applicable):
sssd-1.6.3-1.fc16.x86_64
pure-ftpd-1.0.32-2.fc16.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Set up sssd to auth against ldap
2. Check that users can log in with ssh, pop3/imap (dovecot) and so on
3. Install pure-ftpd
4. Configure it to use PAM Auth

Actual results:
Local users can't log in

Expected results:
Local users should be able to log in

Additional info:

It is a hard to debug this problem
Sssd seems to auth the users fine:

Nov 14 14:01:22 poseidon pure-ftpd: pam_unix(pure-ftpd:auth): authentication
failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=olen rhost=  user=olen
Nov 14 14:01:23 poseidon pure-ftpd: pam_sss(pure-ftpd:auth): authentication
success; logname= uid=0 euid=0 tty=pure-ftpd ruser=olen rhost= user=olen

But they still can't log in.
Client reports "login failed"

Fresh install of F16, so no old config-files should be present.

Auth is configured by authconfig.
Relevant PAM-files:

/etc/pam.d/pure-ftpd
#%PAM-1.0

# Sample PAM configuration file for Pure-FTPd.
# Install it in /etc/pam.d/pure-ftpd or add to /etc/pam.conf

auth       required     pam_listfile.so item=user sense=deny file=/etc/ftpusers
onerr=succeed
auth       include      password-auth
auth       required     pam_shells.so
auth       required     pam_nologin.so

account    include      password-auth

password   include      password-auth

session    required     pam_loginuid.so
session    include      password-auth



/etc/pam.d/password-auth is a symlink to password-auth-ac


/etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session     required      pam_unix.so
session     optional      pam_sss.so



The weirdest thing is I have the exact same problem with both vsftpd AND
proftpd as well.

Changing pure-ftpd to auth directly to the LDAP-server works fine, and allows
users to log in.

Fields changed

cc: => pghmcfc
coverity: =>
patch: => 0
rhbz: =>
tests: => 0
testsupdated: => 0
upgrade: => 0

Fields changed

description: https://bugzilla.redhat.com/show_bug.cgi?id=754170

{{{
Description of problem:
Login as local (PAM) user does not work when sssd is configured with
LDAP-backend

Version-Release number of selected component (if applicable):
sssd-1.6.3-1.fc16.x86_64
pure-ftpd-1.0.32-2.fc16.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Set up sssd to auth against ldap
2. Check that users can log in with ssh, pop3/imap (dovecot) and so on
3. Install pure-ftpd
4. Configure it to use PAM Auth

Actual results:
Local users can't log in

Expected results:
Local users should be able to log in

Additional info:

It is a hard to debug this problem
Sssd seems to auth the users fine:

Nov 14 14:01:22 poseidon pure-ftpd: pam_unix(pure-ftpd:auth): authentication
failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=olen rhost= user=olen
Nov 14 14:01:23 poseidon pure-ftpd: pam_sss(pure-ftpd:auth): authentication
success; logname= uid=0 euid=0 tty=pure-ftpd ruser=olen rhost= user=olen

But they still can't log in.
Client reports "login failed"

Fresh install of F16, so no old config-files should be present.

Auth is configured by authconfig.
Relevant PAM-files:

/etc/pam.d/pure-ftpd

%PAM-1.0

Sample PAM configuration file for Pure-FTPd.

Install it in /etc/pam.d/pure-ftpd or add to /etc/pam.conf

auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers
onerr=succeed
auth include password-auth
auth required pam_shells.so
auth required pam_nologin.so

account include password-auth

password include password-auth

session required pam_loginuid.so
session include password-auth

/etc/pam.d/password-auth is a symlink to password-auth-ac

/etc/pam.d/password-auth

%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
session optional pam_sss.so

The weirdest thing is I have the exact same problem with both vsftpd AND
proftpd as well.

Changing pure-ftpd to auth directly to the LDAP-server works fine, and allows
users to log in.
}}}
=> https://bugzilla.redhat.com/show_bug.cgi?id=754170

{{{
Description of problem:
Login as local (PAM) user does not work when sssd is configured with
LDAP-backend

Version-Release number of selected component (if applicable):
sssd-1.6.3-1.fc16.x86_64
pure-ftpd-1.0.32-2.fc16.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Set up sssd to auth against ldap
2. Check that users can log in with ssh, pop3/imap (dovecot) and so on
3. Install pure-ftpd
4. Configure it to use PAM Auth

Actual results:
Local users can't log in

Expected results:
Local users should be able to log in

Additional info:

It is a hard to debug this problem
Sssd seems to auth the users fine:

Nov 14 14:01:22 poseidon pure-ftpd: pam_unix(pure-ftpd:auth): authentication
failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=olen rhost= user=olen
Nov 14 14:01:23 poseidon pure-ftpd: pam_sss(pure-ftpd:auth): authentication
success; logname= uid=0 euid=0 tty=pure-ftpd ruser=olen rhost= user=olen

But they still can't log in.
Client reports "login failed"

Fresh install of F16, so no old config-files should be present.

Auth is configured by authconfig.
Relevant PAM-files:

/etc/pam.d/pure-ftpd

%PAM-1.0

Sample PAM configuration file for Pure-FTPd.

Install it in /etc/pam.d/pure-ftpd or add to /etc/pam.conf

auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers
onerr=succeed
auth include password-auth
auth required pam_shells.so
auth required pam_nologin.so

account include password-auth

password include password-auth

session required pam_loginuid.so
session include password-auth

/etc/pam.d/password-auth is a symlink to password-auth-ac

/etc/pam.d/password-auth

%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
session optional pam_sss.so

The weirdest thing is I have the exact same problem with both vsftpd AND
proftpd as well.

Changing pure-ftpd to auth directly to the LDAP-server works fine, and allows
users to log in.
}}}

milestone: NEEDS_TRIAGE => SSSD 1.7.0
owner: somebody => jzeleny

Fields changed

priority: major => critical

Fields changed

status: new => assigned

I'm leaning towards closing this ticket, as it seems that it has nothing to do with SSSD. I tested this with ProFTP and it seems that the request for username never gets to SSSD (no mention about it in the log of NSS provider). I double checked the configuration, and everything else seems to be working fine - getent, sshd, su, ...

Fields changed

resolution: => invalid
status: assigned => closed

Metadata Update from @sgallagh:
- Issue assigned to jzeleny
- Issue set to the milestone: SSSD 1.7.0

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2139

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata