#2950 SSSD Internal Error (Unknown PAM error)
Closed: Invalid None Opened 8 years ago by alingramescu.

Environment

  • OS: Debian GNU/Linux 8
  • Kernel: 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1+deb8u4 (2015-09-19) x86_64 GNU/Linux
  • SSSD: 1.11.7
  • SSSD enabled services: nss, pam, ssh

Configs

  • Kerberos config:

    cat /etc/krb5.conf

    [libdefaults]
    default_realm = ad.domain.com

    The following krb5.conf variables are only for MIT Kerberos.

    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    ticket_lifetime = 1h
    renew_lifetime = 1d
    

    The following encryption type specification will be used by MIT Kerberos

    if uncommented. In general, the defaults in the MIT Kerberos code are

    correct and overriding these specifications only serves to disable new

    encryption types as they are added, creating interoperability problems.

    Thie only time when you might need to uncomment these lines and change

    the enctypes is if you have local software that will break on ticket

    caches containing ticket encryption types it doesn't know about (such as

    old versions of Sun Java).

    default_tgs_enctypes = des3-hmac-sha1

    default_tkt_enctypes = des3-hmac-sha1

    permitted_enctypes = des3-hmac-sha1

    The following libdefaults parameters are only for Heimdal Kerberos.

    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        }
        plain = {
            something = something-else
        }
    }
    fcc-mit-ticketflags = true
    

    [realms]

    ad.domain.com = {

    kdc = dcv.ad.domain.com

    admin_server = dcv.ad.domain.com

    }

    [domain_realm]
    .ad.domain.com = ad.domain.com
    ad.domain.com = ad.domain.com

    [login]
    krb4_convert = true
    krb4_get_tickets = false

  • SSSD Config:

    cat /etc/sssd/sssd.conf
    [sssd]
    domains = ad.domain.com
    config_file_version = 2
    services = nss, pam, ssh

    [nss]
    filter_groups = root
    filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd

    [pam]
    reconnection_retries = 3

    [domain/ad.domain.com]
    debug_level = 6
    ad_domain = ad.domain.com
    krb5_realm = AD.DOMAIN.COM
    realmd_tags = manages-system joined-with-adcli
    cache_credentials = True
    id_provider = ad
    sudo_provider = none
    subdomain_enumerate = all
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    use_fully_qualified_names = True
    fallback_homedir = /home/%d/%u
    access_provider = ad
    min_id = 1000
    ad_access_filter = memberOf=CN=Main-Group,OU=Other,OU=Adm Groups,DC=adm,DC=domain,DC=com
    ldap_user_search_filter = memberOf=Main-Group,OU=Other,OU=Adm Groups,DC=adm,DC=domain,DC=com
    ldap_user_ssh_public_key = sshPublicKey
    krb5_lifetime = 1h
    krb5_renewable_lifetime = 1d
    krb5_renew_interval = 30m

  • PAM modules:

    grep sss /etc/pam.d/common-*

    Should look like the followings:

    /etc/pam.d/common-account:account:

    and here are more per-package modules (the "Additional" block)

    account sufficient pam_localuser.so
    account [default=bad success=ok user_unknown=ignore] pam_sss.so

    /etc/pam.d/common-auth:

    here are the per-package modules (the "Primary" block)

    auth [success=2 default=ignore] pam_unix.so nullok_secure
    auth [success=1 default=ignore] pam_sss.so use_first_pass

    /etc/pam.d/common-password:

    here are the per-package modules (the "Primary" block)

    password requisite pam_pwquality.so retry=3
    password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
    password sufficient pam_sss.so use_authtok

    /etc/pam.d/common-session:

    and here are more per-package modules (the "Additional" block)

    session optional pam_mkhomedir.so skel=/etc/skel umask=027
    session required pam_unix.so
    session optional pam_sss.so
    session optional pam_systemd.so

*SSH Config:
/etc/ssh/sshd_config

# cat /etc/ssh/sshd_config

AuthorizedKeysFile    %h/.ssh/authorized_keys
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

Logs

  • SSSD Logs:

    /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=user)(|memberOf=CN=Main-Group,OU=Other,OU=Adm Groups,DC=adm,DC=domain,DC=com))][CN=svc_rsn_vmware,OU=Service Accounts,DC=adm,DC=domain,DC=com].
    /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter
    /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [1432158235]: Malformed search filter
    /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [sdap_nested_group_single_step_done] (0x0020): Error processing direct membership [1432158235]: Unknown error 1432158235
    /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [sdap_nested_done] (0x0020): Nested group processing failed: [1432158235][Unknown error 1432158235]
    /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [ad_account_info_complete] (0x0010): Bug: dp_error is OK on failed request
    /var/log/sssd/sssd_ad.domain.com.log:(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158235,Internal Error (Unknown PAM error)
    /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=954005429]
    /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [ad.domain.com] to [ad.domain.com]
    /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [ad_account_info_handler] (0x0400): This ID is from different domain
    /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
    /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=954005429]

Actions Performed

id user@ad.domain.com
getent passwd user@ad.domain.com
getent group AD-Group-Access@ad.domain.com}}}

Please try to put the filter option in braces as shown in the man pages

...
ad_access_filter = (memberOf=CN=Main-Group,OU=Other,OU=Adm Groups,DC=adm,DC=domain,DC=com)
ldap_user_search_filter = (memberOf=Main-Group,OU=Other,OU=Adm Groups,DC=adm,DC=domain,DC=com)
...

cc: => sbose

No reply for 10 days and I suspect Sumit's reply solves this ticket. Closing.

resolution: => worksforme
status: new => closed

Metadata Update from @alingramescu:
- Issue set to the milestone: NEEDS_TRIAGE

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3991

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata