[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldap user login attempt kills slapd service
Hello,
as OpenLDAP distributed with RHEL uses NSS for crypto (which is
deprecated by OpenLDAP upstream community) please contact Red Hat
customer support with the issue. There, please supply full debug-level
logs from all servers and client. I have noticed the suppressed log lines
from journal in logs you have supplied bellow, which is not sufficient.
Thank you for your understanding.
"Real, Elizabeth (392K)" <Elizabeth.Real@jpl.nasa.gov> writes:
> Openldap gurus:
>
> Here is my setup,
>
> LDAPSERVERS: I have two ldap servers running RHEL7.2 and openldap 2.4.40. Both servers are configured with multi-master replication. Ldaps is enabled and a ppolicy applied.
>
> LDAPCLIENT: My ldap client is running RHEL7.2 as well, sssd 1.13.0, and openldap client 2.4.40.
>
> I have been troubleshooting this problem for a while and can’t figure out why everytime I try to login to an ldap client with a test user account the slapd service on only one of my ldap servers gets killed.
>
> Both getent and ldapsearch return the expected information when ran on the ldap client:
> ldapclient ~]# getent passwd realtest
> realtest:*:1004:312:Liz RealTest:/home/real:/bin/tcsh
>
> ldapclient ~]# ldapsearch -x -s sub -b 'ou=People,dc=cluster,dc=sec312' '(uid=realtest)'
> # extended LDIF
> #
> # LDAPv3
> # base <ou=People,dc=cluster,dc=sec312> with scope subtree
> # filter: (uid=realtest)
> # requesting: ALL
> #
>
> # realtest, People, cluster.sec312
> dn: uid=realtest,ou=People,dc=cluster,dc=sec312
> gidNumber: 312
> objectClass: account
> objectClass: top
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: realtest
> loginShell: /bin/tcsh
> homeDirectory: /home/real
> cn: Liz RealTest
> uidNumber: 1004
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> LDAP SERVER /VAR/LOG/SECURE:
> serverA journal: Suppressed 19192 messages from /system.slice/slapd.service
> serverA journal: Suppressed 8449 messages from /system.slice/slapd.service
> serverA systemd: slapd.service: main process exited, code=killed, status=6/ABRT
> serverA systemd: Unit slapd.service entered failed state.
> serverA systemd: slapd.service failed.
>
> LDAP CLIENT /VAR/LOG/SECURE:
> ldapclient sshd[122938]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=node12.cluster.sec312 user=realtest
> ldapclient sshd[122938]: pam_sss(sshd:auth): received for user realtest: 7 (Authentication failure)
> ldapclient sshd[122938]: pam_ldap(sshd:auth): Authentication failure; user=realtest
> ldapclient sshd[122936]: error: PAM: Authentication failure for realtest from node12.cluster.sec312
>
> ATTEMPT TO SSH AS TEST USER TO LDAP CLIENT:
> % ssh -v realtest@ldapclient
> OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 60: Applying options for *
> debug1: Connecting to ldapclient [] port 22.
> debug1: Connection established.
> debug1: could not open key file '/etc/ssh/ssh_host_key': Permission denied
> debug1: could not open key file '/etc/ssh/ssh_host_dsa_key': Permission denied
> debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied
> debug1: could not open key file '/etc/ssh/ssh_host_rsa_key': Permission denied
> debug1: could not open key file '/etc/ssh/ssh_host_ed25519_key': Permission denied
> debug1: could not open key file '/etc/ssh/ssh_host_dsa_key': Permission denied
> debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied
> debug1: could not open key file '/etc/ssh/ssh_host_rsa_key': Permission denied
> debug1: could not open key file '/etc/ssh/ssh_host_ed25519_key': Permission denied
> debug1: identity file /home/real/.ssh/id_rsa type -1
> debug1: identity file /home/real/.ssh/id_rsa-cert type -1
> debug1: identity file /home/real/.ssh/id_dsa type -1
> debug1: identity file /home/real/.ssh/id_dsa-cert type -1
> debug1: identity file /home/real/.ssh/id_ecdsa type -1
> debug1: identity file /home/real/.ssh/id_ecdsa-cert type -1
> debug1: identity file /home/real/.ssh/id_ed25519 type -1
> debug1: identity file /home/real/.ssh/id_ed25519-cert type -1
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.6.1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
> debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
> debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
> debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16
> debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16
> debug1: sending SSH2_MSG_KEX_ECDH_INIT
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: Server host key: ECDSA 14:c5:c2:60:29:ce:99:aa:67:41:a6:6a:11:2c:ca:86
> debug1: Host 'ldapclient' is known and matches the ECDSA host key.
> debug1: Found key in /home/real/.ssh/known_hosts:22
> debug1: ssh_ecdsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
>
> debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive,hostbased
> debug1: Next authentication method: gssapi-keyex
> debug1: No valid Key exchange context
> debug1: Next authentication method: gssapi-with-mic
> debug1: Unspecified GSS failure. Minor code may provide more information
> No Kerberos credentials available
>
> debug1: Unspecified GSS failure. Minor code may provide more information
> No Kerberos credentials available
>
> debug1: Unspecified GSS failure. Minor code may provide more information
>
> debug1: Unspecified GSS failure. Minor code may provide more information
> No Kerberos credentials available
>
> debug1: Next authentication method: hostbased
> debug1: No more client hostkeys for hostbased authentication.
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/real/.ssh/id_rsa
> debug1: Trying private key: /home/real/.ssh/id_dsa
> debug1: Trying private key: /home/real/.ssh/id_ecdsa
> debug1: Trying private key: /home/real/.ssh/id_ed25519
> debug1: Next authentication method: keyboard-interactive
> Password:
> debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive,host based
>
> Any help will be greatly appreciated!
>
> Thank you,
> Liz
--
Matus Honek
Associate Software Engineer @ Red Hat, Inc.