How to authenticate Satellite web UI users using sssd through PAM ?

Solution Verified - Updated -

Environment

  • Red Hat Satellite 5
  • SSSD
  • PAM
  • LDAP

Issue

  • Need to authenticate Satellite users using System Security Services Daemon (SSSD) through Pluggable Authentication Modules (PAM) against LDAP
  • How to authenticate Satellite users using sssd through PAM ?

Resolution

[root@host]# service sssd start
  • Follow the steps in the Satellite Installation Guide to configure the Satellite for SSSD authentication via PAM.
  • Make sure that the rhn-satellite file is world-readable:
[root@host]# chmod 644 /etc/pam.d/rhn-satellite
  • Browse to the Satellite web UI and log in with the LDAP username.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

3 Comments

Good morning

I've some doubts about this procedure. For example, one environment with the RHN Server without authentication (only local), but now I would like to authenticate some users from AD and others locally, about locally, no problem, the procedure is normal (only create a new user inside Satellite), but to use AD, what is really necessary ?!

I believe be a pre-req configure the User Info (LDAP) and Authentication (maybe kerberos)., I did the test using LDAP/Kerberos to auth, works fine by cli (kinit/klist), but by Satellite ... nothing.

Above the message when tring to access Satellite using AD user.

My catalina.out
###
[TP-Processor7] WARN com.redhat.rhn.domain.user.legacy.UserImpl - PAM login for user User waldirio (id 3, org_id 1) failed with error Authentication failure.
###

and my secure
###
IBM Java[23338]: pam_sss(rhn-satellite:auth): authentication failure; logname= uid=91 euid=91 tty= ruser= rhost= user=waldirio
###

Any idea or recommendation ??!

Thanks in advanced
Waldirio

Waldirio,

Not sure if you got this working already (it's been a year and a half since you posted your message). In case you didn't, I would advice you to verify that SSSD is able to connect and get the user information from the ldap server, before trying login at the Satellite web interface. Since you are using AD, you may need some extra parameters on sssd.conf. In my case (using Global Catalog), I had to specify the 3268 port on the uri, added a user to bind with (ldap_default_bind_dn and ldap_default_authtok), changed ldap_user_name, ldap_user_uid_number, ldap_user_gid_number, ldap_group_gid_number and ldap_group_object_class to suit our domain, etc. In the end, you should be able to run "getent -s sss passwd " on the terminal. Once you get that working, then as long as you have the configuration on pam as this kb explains, Satellite should work.

Additionally, to debug authentication issues when using sssd, add "debug_level = 9" to your domain section on sssd.conf, and look at /var/log/sssd/sssd_.log", rather than looking at catalina or secure.

Regards,
Eric

Hi Eric, good morning

This issue happened in the client, was fixed but in fact, I don't remember what I did.

I'll do again the steps above in my lab (Satellite authenticating by AD) to test and generate a internal paper.

Thanks for your reply!

B'Regards
Waldirio