ldap user unable login

jiunnyik · March 14, 2013, 6:11am

ldap user unable login with error message: sssd: Could not start TLS encryption.

Use TLS for Identify Resolve is not check

Any idea ?

Error message when ssh:

2013-03-14T13:16:38.183271+08:00 pisces sshd[2122]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=richese.polyscientific.com.my user=calvin
2013-03-14T13:16:38.361009+08:00 pisces sssd[be[default]]: Could not start TLS encryption. error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)
2013-03-14T13:16:38.361389+08:00 pisces sshd[2122]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=richese.polyscientific.com.my user=calvin
2013-03-14T13:16:38.361996+08:00 pisces sshd[2122]: pam_sss(sshd:auth): received for user calvin: 9 (Authentication service cannot retrieve authentication info)
2013-03-14T13:16:40.269697+08:00 pisces sshd[2120]: error: PAM: Authentication service cannot retrieve authentication info for calvin from richese.polyscientific.com.my

Error message when try login to KDM:

2013-03-14T13:18:09.525439+08:00 pisces kdm: :0[2176]: pam_unix(xdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jiunnyik
2013-03-14T13:18:09.527248+08:00 pisces kdm: :0[2176]: pam_sss(xdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jiunnyik
2013-03-14T13:18:09.527265+08:00 pisces kdm: :0[2176]: pam_sss(xdm:auth): received for user jiunnyik: 9 (Authentication service cannot retrieve authentication info)

john_hudson · March 14, 2013, 11:07pm

As a start, have you checked that your self-generated certificate is where it should be/up-to-date?

jiunnyik · March 14, 2013, 11:46pm

john_hudson ,

More details pls.

Check from client side ?

Is that mean I have to copy openldap self-generated certificate from server to client pc ?

This is not needed for previous version of openSuse.

Thanks.

john_hudson · March 15, 2013, 11:51pm

No - just that, given line 2 of the error message, a misplaced or out-of-date certificate might be the cause. Another possible cause would be a login mismatch - uid 0 is normally root but user=calvin.

I’m guessing because this is the first time I have seen such a sequence of error messages but those points stand out.

tsu2 · March 17, 2013, 7:35pm

jiunnyik:

ldap user unable login with error message: sssd: Could not start TLS encryption.

Use TLS for Identify Resolve is not check

Any idea ?

Error message when ssh:

2013-03-14T13:16:38.183271+08:00 pisces sshd[2122]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=richese.polyscientific.com.my user=calvin
2013-03-14T13:16:38.361009+08:00 pisces sssd[be[default]]: Could not start TLS encryption. error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)
2013-03-14T13:16:38.361389+08:00 pisces sshd[2122]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=richese.polyscientific.com.my user=calvin
2013-03-14T13:16:38.361996+08:00 pisces sshd[2122]: pam_sss(sshd:auth): received for user calvin: 9 (Authentication service cannot retrieve authentication info)
2013-03-14T13:16:40.269697+08:00 pisces sshd[2120]: error: PAM: Authentication service cannot retrieve authentication info for calvin from richese.polyscientific.com.my

Error message when try login to KDM:

2013-03-14T13:18:09.525439+08:00 pisces kdm: :0[2176]: pam_unix(xdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jiunnyik
2013-03-14T13:18:09.527248+08:00 pisces kdm: :0[2176]: pam_sss(xdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jiunnyik
2013-03-14T13:18:09.527265+08:00 pisces kdm: :0[2176]: pam_sss(xdm:auth): received for user jiunnyik: 9 (Authentication service cannot retrieve authentication info)

You’re seeing 2 different errors because you’re using different names to login. If you’re testing at least try to minimize variables so you can get consistent and helpful results.

When you logged in with SSH, it looks like that type of login automatically passes your SSH credentials and so you’re getting a certificate mis-match. Login instead with a User account using a certificate authorized and therefor can be authenticated by your LDAP domain.

When you logged in with KLM, that was straightforward, the name you used isn’t in your LDAP Domain.

HTH,
TSU