sshd reports unknown user for local users

[wurzeladministrator]

Hi,

after upgrading to FreeNAS 11 we also decided to move away from locally managed users towards an existing LDAP database within our organization. This works great for the all the users who are in that directory. However there are still a couple local system accounts (e.g. for synchronization and backup purposes) which I would like to keep in the FreeNAS database and stored via the local passwd file rather than have them in the organization wide LDAP directory.

I understand that Samba can not authenticate those local accounts anymore because it only looks at the LDAP. Is that correct?

getent passwd works fine and shows both local and LDAP users.

For SSH access, both local and LDAP users can connect, however in /var/log/auth.log, sshd always first reports Access denied and then Accepts the connection anyways when a local user connects:

/var/log/auth.log

Code:

Sep 12 10:20:37 mynas sshd[502]: Access denied for user <localinfreenas>: 13 (unknown user)
Sep 12 10:20:37 mynas sshd[502]: Accepted publickey for <localinfreenas< from <ip> port 41420 ssh2: RSA <keyid>

How do I get rid of the "Access denied" messages for the local users?
Users in the LDAP directory do not generate the Access denied message.
I am sure there is just a minor entry missing in sssd.conf, nsswitch.conf or in the PAM configuration, but I am not very familiar with those files and the way FreeNAS sets them up. Maybe a minor bug fix for FreeNAS is in order for that?

Here are the relevant config files (I presume) currently set up by the FreeNAS:

Code:

[root@mynas ~]# cat /usr/local/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
full_name_format = %2$s\%1$s
re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))
services = nss,pam
domains = LDAP


[nss]

[pam]

[domain/LDAP]
description = LDAP
enumerate = true
cache_credentials = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307
ldap_force_upper_case_realm = true
use_fully_qualified_names = false
ldap_uri = ldap://<...>
ldap_search_base = <...>
ldap_user_search_base = <...>
ldap_group_search_base = <...>
tls_reqcert = demand
ldap_tls_cacert = /etc/certificates/CA/ldap.crt
ldap_id_use_start_tls = true
ldap_default_bind_dn = uid=admin,<...>
ldap_default_authtok_type = password
ldap_default_authtok = <password>
override_homedir = /<zfsvol>/%u

[root@mynas ~]# cat /etc/nsswitch.conf 
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD$
#


group: files sss
hosts: files mdns dns
networks: files
passwd: files sss
shells: files
services: files
protocols: files
rpc: files
sudoers: files
[root@mynas ~]# cat /etc/pam.d/sshd 
#
# $FreeBSD: head/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#


# auth
auth			sufficient	  pam_opie.so			 no_warn no_fake_prompts
auth			requisite	   pam_opieaccess.so	   no_warn allow_local
auth			sufficient	  /usr/local/lib/pam_sss.so
#auth		   sufficient	  pam_krb5.so			 no_warn try_first_pass
#auth		   sufficient	  pam_ssh.so			  no_warn try_first_pass
auth			required		pam_unix.so			 no_warn try_first_pass

# account
account		 required		pam_nologin.so
#account		required		pam_krb5.so
account		 required		pam_login_access.so
account		 sufficient	  /usr/local/lib/pam_sss.so
account		 required		pam_unix.so

# session
#session		optional		pam_ssh.so			  want_agent
session		 required		pam_permit.so
session		 required		/usr/local/lib/pam_mkhomedir.so

# password
#password	   sufficient	  pam_krb5.so			 no_warn try_first_pass
password		sufficient	  /usr/local/lib/pam_sss.so use_authtok
password		required		pam_unix.so			 no_warn try_first_pass
[root@mynas ~]# 

 

[dlavigne]

It is working correctly, as the SSH server is trying one auth method and when it fails, it's trying the next available auth method.

For the local users, you can edit the "PreferredAuthentications" in their /etc/ssh_config to specify the preferred order.

 

[wurzeladministrator]

No I don't think that's it. You are referring to a ssh client option which controls the order of authentication methods such as password or pubkey. Nothing to do with the user account lookup on the sshd side. My clients send their pubkey not the password on first try anyway.

I think the solution is closer to something along the lines of this arch wiki article under PAM configuration for sssd:

Code:

/etc/pam.d/system-auth

account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so

Can someone confirm this? Is there a way to adjust the PAM FreeNAS config accordingly so that it does not get overwritten after reboot?

 

[dlavigne]

Since there isn't a UI knob to configure that (and thus add to config db) it will get overwritten on boot. However, you could create a feature request at bugs.freenas.org explaining the use case. If you do, paste the issue number here.

 

[wurzeladministrator]

It doesn't show up in the security report as failed attempts. So I guess it is fine the way it is.