I'm trying to setup ldap authentication for unix users to log in and I'm getting the token error. I have ldap users and groups working and I've converted all the unix users to webmin users but I cant get the users to log in or change password with passwd. I configured and enabled sssd.conf but I believe the issue may have to do with PAM files which I have limited experience with any help would be appreciated I'll add a few of the PAM configs along with the sssd.conf below. Let me know if you need anything else to help trouble shoot this thank you.

Update:jan 25 2023 I believe I have sssd and nslcd working properly I also adjusted the pam modules in webmin. I also added db to nsswitch.conf so I checks there first. As of right now I can use things like ldapsearch -x -D cn=bindadmin,ou=People,dc=xxx,dc=com -W to query my db full of user succesfully I can also passwd $USER succesfully and log in with the new password using su -l $USER the only remaining problem I'm having is allowing the user to log into webmin I was hoping since the client is working and passwd changing works it would allow me to log in but when I attempt to change the converted webmin users acl for webmin log in I get the following error in /var/webmin/miniserv.error and this seems to be the only log error msg I get which is preventing my webmin users from logging in. Any thoughts?

Argument "" isn't numeric in numeric ne (!=) at /usr/libexec/webmin/acl/save_unix.cgi line 80. [25/Jan/2023:11:01:59 -0500] Reloading configuration

I'm trying to setup ldap authentication for unix users to log in and I'm getting the token error. I have ldap users and groups working and I've converted all the unix users to webmin users but I cant get the users to log in or change password with passwd. I configured and enabled sssd.conf but I believe the issue may have to do with PAM files which I have limited experience with any help would be appreciated I'll add a few of the PAM configs along with the sssd.conf below. Let me know if you need anything else to help trouble shoot this thank you.

I'm trying to setup ldap authentication for unix users to log in and I'm getting the token error. I have ldap users and groups working and I've converted all the unix users to webmin users but I cant get the users to log in or change password with passwd. I configured and enabled sssd.conf but I believe the issue may have to do with PAM files which I have limited experience with any help would be appreciated I'll add a few of the PAM configs along with the sssd.conf below. Let me know if you need anything else to help trouble shoot this thank you.

I also cant use anything like ldapmodify or ldapsearch which is because of a misconfigured ldap-client not reaching the server I presume? When I configure ldap-client on webmin with the nslcd.conf file and I use the validate button it returns the following but it doesnt give me the option to run/start the client as it had prior now it only gives me the validate configuration option and both start ldap-client alongside could this be why its not connecting properly?

error msg when I try ldap search SASL/GSS-SPNEGO authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)

Finding LDAP base for users .. .. found base dc=xxxx,dc=com. Connecting to LDAP server .. .. connected to ldap-primary.ue1.-prod.com

Searching for users .. .. found 507 users.

Checking Unix users service .. .. service is setup to query LDAP.

Looking for Unix user bjones .. .. user found successfully.

Your system has been successfully configured as an LDAP client!

Expectations: LDAP users and groups functionality working [complete] converted unix webmin users log in functionality working [not working]

The following commands works id tuser uid=6469(tuser) gid=6250(gwtest) groups=6250(gwtest),9003(git),9001(softeng)

getent passwd tuser tuser:*:6469:6250:test user:/home/tuser:/bin/bash

log msg when I try "passwd tuser" passwd: pam_unix(passwd:chauthtok): user "tuser" does not exist in /etc/passwd passwd: pam_sss(passwd:chauthtok): Authentication failed for user tuser: 4 (System error)

log msg when converted webmin users attempts to log in pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty=10000 ruser= rhost=xxx user=xxx webmin[8072]: Invalid login as xxxx from xxxx

passwdauth: #%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so

account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass password sufficient pam_sss.so

password required pam_deny.so

session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so

passwd #%PAM-1.0 auth include system-auth account include system-auth password substack system-auth -password optional pam_gnome_keyring.so password substack postlogin

webmin #%PAM-1.0 auth sufficient pam_ldap.so auth required pam_unix.so nullok account sufficient pam_ldap.so account required pam_unix.so session sufficient pam_ldap.so session required pam_unix.so

system-auth #%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so

account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so

session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so

sssd.conf [sssd] config_file_version = 2 services = nss, pam, ssh reconnection_retries = 3 domains = xxxx

[nss] filter_groups = root filter_users = root,named,nscd

[

[domain/xxx] access_provider = ldap auth_provider = ldap cache_credentials = true chpass_provider = none debug_level = 3 entry_cache_timeout = 300 enum_cache_timeout = 300 enumerate = true id_provider = ldap ldap_access_order = expire ldap_account_expire_policy = shadow ldap_default_authtok_type = password ldap_default_authtok = xxxx

ldap_default_bind_dn = cn=bindadmin-sssd,ou=People,dc=xxxx,dc=com ldap_enumeration_refresh_timeout = 300 ldap_group_member = memberUid ldap_group_name = cn ldap_group_object_class = posixGroup ldap_group_search_base = ou=Groups,dc=xxxx,dc=com ldap_id_use_start_tls = false ldap_network_timeout = 3 ldap_pwd_policy = shadow ldap_schema = rfc2307 ldap_search_base = dc=xxx,dc=com ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = never ldap_uri = ldaps://ldap-01.ue1-prod.com ldap_user_name = uid ldap_user_object_class = posixAccount ldap_user_search_base = ou=People,dc=xxxx,dc=com ldap_user_shadow_expire = shadowExpire shell_fallback = /bin/bash

I'm trying to setup ldap authentication for unix users to log in and I'm getting the token error. I have ldap users and groups working and I've converted all the unix users to webmin users but I cant get the users to log in or change password with passwd. I configured and enabled sssd.conf but I believe the issue may have to do with PAM files which I have limited experience with any help would be appreciated I'll add a few of the PAM configs along with the sssd.conf below. Let me know if you need anything else to help trouble shoot this thank you.

I also cant use anything like ldapmodify or ldapsearch which is because of a misconfigured ldap-client not reaching the server I presume? When I configure ldap-client on webmin with the nslcd.conf file and I use the validate button it returns the following but it doesn't give me the option to run/start the client as it had prior now it only gives me the validate configuration option and both start ldap-client alongside could this be why its not connecting properly?

Error msg when I try ldap search:

SASL/GSS-SPNEGO authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate) Finding LDAP base for users .. .. found base dc=xxxx,dc=com. Connecting to LDAP server .. .. connected to ldap-primary.ue1.-prod.com Searching for users .. .. found 507 users. Checking Unix users service .. .. service is setup to query LDAP. Looking for Unix user bjones .. .. user found successfully. Your system has been successfully configured as an LDAP client! 

Expectations:

• LDAP users and groups functionality working [complete]
• converted unix webmin users log in functionality working [not working]

The following commands works

$ id tuser uid=6469(tuser) gid=6250(gwtest) groups=6250(gwtest),9003(git),9001(softeng) $ getent passwd tuser tuser:*:6469:6250:test user:/home/tuser:/bin/bash 

log msg when I try passwd tuser:

passwd: pam_unix(passwd:chauthtok): user "tuser" does not exist in /etc/passwd passwd: pam_sss(passwd:chauthtok): Authentication failed for user tuser: 4 (System error) 

log msg when converted webmin users attempts to log in:

pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty=10000 ruser= rhost=xxx user=xxx webmin[8072]: Invalid login as xxxx from xxxx 

passwdauth:

#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass password sufficient pam_sss.so password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so passwd #%PAM-1.0 auth include system-auth account include system-auth password substack system-auth -password optional pam_gnome_keyring.so password substack postlogin webmin #%PAM-1.0 auth sufficient pam_ldap.so auth required pam_unix.so nullok account sufficient pam_ldap.so account required pam_unix.so session sufficient pam_ldap.so session required pam_unix.so system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so 

sssd.conf

[sssd] config_file_version = 2 services = nss, pam, ssh reconnection_retries = 3 domains = xxxx [nss] filter_groups = root filter_users = root,named,nscd [ [domain/xxx] access_provider = ldap auth_provider = ldap cache_credentials = true chpass_provider = none debug_level = 3 entry_cache_timeout = 300 enum_cache_timeout = 300 enumerate = true id_provider = ldap ldap_access_order = expire ldap_account_expire_policy = shadow ldap_default_authtok_type = password ldap_default_authtok = xxxx ldap_default_bind_dn = cn=bindadmin-sssd,ou=People,dc=xxxx,dc=com ldap_enumeration_refresh_timeout = 300 ldap_group_member = memberUid ldap_group_name = cn ldap_group_object_class = posixGroup ldap_group_search_base = ou=Groups,dc=xxxx,dc=com ldap_id_use_start_tls = false ldap_network_timeout = 3 ldap_pwd_policy = shadow ldap_schema = rfc2307 ldap_search_base = dc=xxx,dc=com ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = never ldap_uri = ldaps://ldap-01.ue1-prod.com ldap_user_name = uid ldap_user_object_class = posixAccount ldap_user_search_base = ou=People,dc=xxxx,dc=com ldap_user_shadow_expire = shadowExpire shell_fallback = /bin/bash