Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=754170
Description of problem: Login as local (PAM) user does not work when sssd is configured with LDAP-backend Version-Release number of selected component (if applicable): sssd-1.6.3-1.fc16.x86_64 pure-ftpd-1.0.32-2.fc16.x86_64 How reproducible: Always Steps to Reproduce: 1. Set up sssd to auth against ldap 2. Check that users can log in with ssh, pop3/imap (dovecot) and so on 3. Install pure-ftpd 4. Configure it to use PAM Auth Actual results: Local users can't log in Expected results: Local users should be able to log in Additional info: It is a hard to debug this problem Sssd seems to auth the users fine: Nov 14 14:01:22 poseidon pure-ftpd: pam_unix(pure-ftpd:auth): authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=olen rhost= user=olen Nov 14 14:01:23 poseidon pure-ftpd: pam_sss(pure-ftpd:auth): authentication success; logname= uid=0 euid=0 tty=pure-ftpd ruser=olen rhost= user=olen But they still can't log in. Client reports "login failed" Fresh install of F16, so no old config-files should be present. Auth is configured by authconfig. Relevant PAM-files: /etc/pam.d/pure-ftpd #%PAM-1.0 # Sample PAM configuration file for Pure-FTPd. # Install it in /etc/pam.d/pure-ftpd or add to /etc/pam.conf auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth include password-auth auth required pam_shells.so auth required pam_nologin.so account include password-auth password include password-auth session required pam_loginuid.so session include password-auth /etc/pam.d/password-auth is a symlink to password-auth-ac /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so The weirdest thing is I have the exact same problem with both vsftpd AND proftpd as well. Changing pure-ftpd to auth directly to the LDAP-server works fine, and allows users to log in.
Fields changed
cc: => pghmcfc coverity: => patch: => 0 rhbz: => tests: => 0 testsupdated: => 0 upgrade: => 0
description: https://bugzilla.redhat.com/show_bug.cgi?id=754170
{{{ Description of problem: Login as local (PAM) user does not work when sssd is configured with LDAP-backend
Version-Release number of selected component (if applicable): sssd-1.6.3-1.fc16.x86_64 pure-ftpd-1.0.32-2.fc16.x86_64
How reproducible: Always
Steps to Reproduce: 1. Set up sssd to auth against ldap 2. Check that users can log in with ssh, pop3/imap (dovecot) and so on 3. Install pure-ftpd 4. Configure it to use PAM Auth
Actual results: Local users can't log in
Expected results: Local users should be able to log in
Additional info:
It is a hard to debug this problem Sssd seems to auth the users fine:
Nov 14 14:01:22 poseidon pure-ftpd: pam_unix(pure-ftpd:auth): authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=olen rhost= user=olen Nov 14 14:01:23 poseidon pure-ftpd: pam_sss(pure-ftpd:auth): authentication success; logname= uid=0 euid=0 tty=pure-ftpd ruser=olen rhost= user=olen
But they still can't log in. Client reports "login failed"
Fresh install of F16, so no old config-files should be present.
Auth is configured by authconfig. Relevant PAM-files:
/etc/pam.d/pure-ftpd
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth include password-auth auth required pam_shells.so auth required pam_nologin.so
account include password-auth
password include password-auth
session required pam_loginuid.so session include password-auth
/etc/pam.d/password-auth is a symlink to password-auth-ac
/etc/pam.d/password-auth
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
The weirdest thing is I have the exact same problem with both vsftpd AND proftpd as well.
Changing pure-ftpd to auth directly to the LDAP-server works fine, and allows users to log in. }}} => https://bugzilla.redhat.com/show_bug.cgi?id=754170
Changing pure-ftpd to auth directly to the LDAP-server works fine, and allows users to log in. }}}
milestone: NEEDS_TRIAGE => SSSD 1.7.0 owner: somebody => jzeleny
priority: major => critical
status: new => assigned
I'm leaning towards closing this ticket, as it seems that it has nothing to do with SSSD. I tested this with ProFTP and it seems that the request for username never gets to SSSD (no mention about it in the log of NSS provider). I double checked the configuration, and everything else seems to be working fine - getent, sshd, su, ...
resolution: => invalid status: assigned => closed
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=754170 754170]
Metadata Update from @sgallagh: - Issue assigned to jzeleny - Issue set to the milestone: SSSD 1.7.0
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2139
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.