Problems with ocserv and Active Directory via SSSD

Tobias Grychtol-Matthaeus tgrymatt at mpi-bremen.de
Mon Dec 14 10:24:15 EST 2020 

Problems with ocserv and Active Directory via SSSD
Dear all,


I have installed ocserv, version 1.1.1-1~bpo10+1 on a Debian 10.7 machine. In the config file I changed the authentication to PAM. The Debian machine is successfully connected to our ActiveDirectory and I can login via SSH with my AD user and the corresponding password. Now I configured on my client openconnect and I logged in with user "root" and established the VPN connection. But if I try to do this with my AD user, the VPN connection will not established.

I found in the /var/log/auth.log

Dec 14 16:11:14 openconnect ocserv[2481]: pam_unix(ocserv:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=178.142.xxx.xxx  user=testuser
Dec 14 16:11:14 openconnect ocserv[2481]: pam_sss(ocserv:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=178.142.xxx.xxx user=testuser
Dec 14 16:11:14 openconnect ocserv[2481]: pam_sss(ocserv:account): Access denied for user testuser: 6 (Permission denied)
And the /var/log/daemon.log contains
Dec 14 16:10:56 openconnect systemd[1]: ocserv.service: Succeeded.
Dec 14 16:10:56 openconnect ocserv[2480]: note: skipping 'pid-file' config option
Dec 14 16:10:56 openconnect ocserv[2480]: note: vhost:default: setting 'pam' as primary authentication method
Dec 14 16:10:56 openconnect ocserv[2480]: note: setting 'file' as supplemental config option
Dec 14 16:10:56 openconnect ocserv[2480]: listening (TCP) on 0.0.0.0:443...
Dec 14 16:10:56 openconnect ocserv[2480]: listening (TCP) on [::]:443...
Dec 14 16:10:56 openconnect ocserv[2480]: listening (UDP) on 0.0.0.0:443...
Dec 14 16:10:56 openconnect ocserv[2480]: listening (UDP) on [::]:443...
Dec 14 16:10:56 openconnect ocserv[2480]: main: Starting 1 instances of ocserv-sm
Dec 14 16:10:56 openconnect ocserv[2480]: main: initialized ocserv 1.1.1
Dec 14 16:10:56 openconnect ocserv[2481]: sec-mod: reading supplemental config from files
Dec 14 16:10:56 openconnect ocserv[2481]: sec-mod: sec-mod initialized (socket: /run/ocserv.socket.92fb8478.0)
Dec 14 16:11:11 openconnect ocserv[2480]: note: skipping 'pid-file' config option
Dec 14 16:11:11 openconnect ocserv[2480]: note: vhost:default: setting 'pam' as primary authentication method
Dec 14 16:11:11 openconnect ocserv[2480]: note: setting 'file' as supplemental config option
Dec 14 16:11:11 openconnect ocserv[2481]: sec-mod: sec-mod instance 0 issue cookie
Dec 14 16:11:11 openconnect ocserv[2481]: sec-mod: using 'pam' authentication to authenticate user (session: whGVbd)
Dec 14 16:11:11 openconnect ocserv[2481]: PAM-auth conv: echo-off, msg: 'Password: '
Dec 14 16:11:14 openconnect ocserv[2481]: PAM acct-mgmt error for 'testuser': Permission denied
Dec 14 16:11:14 openconnect ocserv[2481]: PAM-auth pam_auth_pass: Permission denied
Dec 14 16:11:14 openconnect ocserv[2482]: worker[testuser]: 178.142.xxx.xxx worker-auth.c:1713: failed authentication for 'testuser'
Dec 14 16:11:14 openconnect ocserv[2480]: main:178.142.xxx.xxx:54073 user disconnected (reason: unspecified, rx: 0, tx: 0)
Do you have any hints for me?
All the best,
Tobias


--


Tobias Grychtol-Matthaeus
Systemadministrator
Informationstechnik

Max-Planck-Institut für Marine Mikrobiologie
Celsiusstr. 1 - D-28359 Bremen - Raum R1130
Telefon: +49 421 2028-5720
E-Mail: tgrymatt at mpi-bremen.de




********************************************************************************************************************************************************************************
Achtung, neue Telefondurchwahl ab 4.12.202!

Bitte hängen Sie an die bisherige Durchwahl des Mitarbeitenden am Max-Planck-Institut für Marine Mikrobiologie eine -0 an, aus +49 421 2028-123 wird also +49 421 2028-1230.

Bei Faxnummern muss eine -8 angehängt werden. Aus +49 421 2028-565 wird also +49 421 2028-5658


Attention, new telephone extension starting Decmber 4th, 2020 !

Please add a -0 to the previous extension of your contact at the Max Planck Institute for Marine Microbiology, i.e. +49 421 2028-123 becomes +49 421 2028-1230.

For fax numbers a -8 has to be added. I.e. +49 421 2028-565 becomes +49 421 2028-5658

********************************************************************************************************************************************************************************

More information about the openconnect-devel mailing list