No login in eJabberd, IMAP and SSH

davidep · October 28, 2018, 6:50pm

Damn it! It’s correct

Replacing that file shouldn’t harm, but there are also other authconfig-generated files that should be fixed accordingly: those with -ac suffix.

Before going further I’d check the past log files, to see if something went wrong in August.

If you decide to replace, make a copy and keep open a spare shell to avoid lockout.

Enrico · October 28, 2018, 7:42pm

Oh very good!
Witch log do you want check?

davidep · October 28, 2018, 7:59pm

Well, let’s start with

/var/log/messages-*

Enrico · October 28, 2018, 9:18pm

Davide, here the files:
https://www.icloud.com/iclouddrive/0yQj0oMYVaY2_GgK5neLWEY7A#messages-20181021
https://www.icloud.com/iclouddrive/0bJ0v_gPyfXZiAaQ9OcXMCUsw#messages-20181028
https://www.icloud.com/iclouddrive/0FfMv7ec0NeQGnNV4Br1nxRzg#messages-20181014
https://www.icloud.com/iclouddrive/0HRmk1RSXnIg3Dyi1rotbrp-g#messages-20181007
https://www.icloud.com/iclouddrive/0JUCJICbA7MIRuKuz-WApXTAA#messages

Thanks a lot.

davidep · October 28, 2018, 9:22pm

Those are the archives of October… Do you still have the ones of August?

 /var/log/messages-201808*

Enrico · October 28, 2018, 11:05pm

Sorry Davide,
but (I don’t know why) I don’t have the August/September logs.

What do you advise in this case?

davidep · October 29, 2018, 9:32am

I’d try to reconfigure with authconfig. Please attach the output of

cat /etc/sysconfig/authconfig

And

authconfig --test

Enrico · October 29, 2018, 10:56am

This is authconfig:

[root@server ~]# cat /etc/sysconfig/authconfig
CACHECREDENTIALS=yes
FAILLOCKARGS=“deny=4 unlock_time=1200”
FORCELEGACY=no
FORCESMARTCARD=no
IPADOMAINJOINED=no
IPAV2NONTP=no
PASSWDALGORITHM=sha512
USEDB=no
USEECRYPTFS=no
USEFAILLOCK=no
USEFPRINTD=no
USEHESIOD=no
USEIPAV2=no
USEKERBEROS=no
USELDAP=no
USELDAPAUTH=no
USELOCAUTHORIZE=yes
USEMKHOMEDIR=no
USENIS=no
USEPAMACCESS=no
USEPASSWDQC=no
USEPWQUALITY=yes
USESHADOW=yes
USESMARTCARD=no
USESSSD=yes
USESSSDAUTH=no
USESYSNETAUTH=no
USEWINBIND=no
USEWINBINDAUTH=no
WINBINDKRB5=no

And this is authconfig --test:

[root@server ~]# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = “”
hesiod RHS = “”
nss_ldap is disabled
LDAP+TLS is disabled
LDAP server = “”
LDAP base DN = “”
nss_nis is disabled
NIS server = “”
NIS domain = “”
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = “DOMAIN”
SMB servers = “nsdc-server.ad.domain.ext”
SMB security = “ADS”
SMB realm = “AD.DOMAIN.EXT”
Winbind template shell = “/bin/false”
SMB idmap range = “16777216-33554431”
nss_sss is enabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
myhostname is enabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is sha512
pam_krb5 is disabled
krb5 realm = “AD.DOMAIN.EXT”
krb5 realm via dns is enabled
krb5 kdc = “”
krb5 kdc via dns is enabled
krb5 admin server = “”
pam_ldap is disabled
LDAP+TLS is disabled
LDAP server = “”
LDAP base DN = “”
LDAP schema = “rfc2307”
pam_pkcs11 is disabled
SSSD smartcard support is disabled
use only smartcard for login is disabled
smartcard module = “”
smartcard removal action = “”
pam_fprintd is disabled
pam_ecryptfs is disabled
pam_winbind is disabled
SMB workgroup = “DOMAIN”
SMB servers = “nsdc-server.ad.domain.ext”
SMB security = “ADS”
SMB realm = “AD.DOMAIN.EXT”
pam_sss is disabled by default
credential caching in SSSD is enabled
SSSD use instead of legacy services if possible is enabled
IPAv2 is disabled
IPAv2 domain was not joined
IPAv2 server = “”
IPAv2 realm = “”
IPAv2 domain = “”
pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_faillock is disabled (deny=4 unlock_time=1200)
pam_mkhomedir or pam_oddjob_mkhomedir is disabled (umask=0077)
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled

davidep · October 29, 2018, 5:27pm

Mine is different. Here’re the differences:

--- authconfig.enrico	2018-10-29 18:23:30.071261853 +0100
+++ /etc/sysconfig/authconfig	2017-05-05 13:07:11.230456112 +0200
@@ -1,5 +1,4 @@
 CACHECREDENTIALS=yes
-FAILLOCKARGS=“deny=4 unlock_time=1200”
 FORCELEGACY=no
 FORCESMARTCARD=no
 IPADOMAINJOINED=no
@@ -7,7 +6,6 @@
 PASSWDALGORITHM=sha512
 USEDB=no
 USEECRYPTFS=no
-USEFAILLOCK=no
 USEFPRINTD=no
 USEHESIOD=no
 USEIPAV2=no
@@ -15,7 +13,7 @@
 USELDAP=no
 USELDAPAUTH=no
 USELOCAUTHORIZE=yes
-USEMKHOMEDIR=no
+USEMKHOMEDIR=yes
 USENIS=no
 USEPAMACCESS=no
 USEPASSWDQC=no
@@ -23,7 +21,7 @@
 USESHADOW=yes
 USESMARTCARD=no
 USESSSD=yes
-USESSSDAUTH=no
+USESSSDAUTH=yes
 USESYSNETAUTH=no
 USEWINBIND=no
 USEWINBINDAUTH=no

You can create a backup of current authconfig settings with authconfig --savebackup. See man authconfig for details.

Please check if you have any other backup:

find /var/lib/authconfig

Once you prepared the backup we can try to apply a new configuration.

Enrico · October 29, 2018, 5:51pm

I’m ready. No other backup of authconfig was present.

[root@server ~]# authconfig --savebackup 29ottobre

[root@server ~]# ls /var/lib/authconfig/backup-29ottobre/
authconfig krb5.conf openldap.conf shadow
cacheenabled.conf libuser.conf passwd smartcard-auth-ac
fingerprint-auth-ac login.defs password-auth-ac smb.conf
group network postlogin-ac sssd.conf
gshadow nsswitch.conf pwquality.conf system-auth-ac

Enrico · October 29, 2018, 9:56pm

Now how should I proceed?

davidep · October 30, 2018, 8:03am

This is the command I found in my /var/log/messages. It is invoked by realmd during the accounts provider installation

/usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service

Before executing it open a spare shell to prevent being locked out of your system!

Enrico · October 30, 2018, 9:12am

Have I to modify my authconfig files as your one?
I only made a backup of authconfig, I have not modified anything yet

davidep · October 30, 2018, 9:15am

No, just execute that command! Then you could compare the files to see what it did…

Enrico · October 30, 2018, 1:03pm

I think we’re in right way.
After your command, my /etc/sysconfig/authconfig is

[root@server ~]# cat /etc/sysconfig/authconfig
CACHECREDENTIALS=yes
FAILLOCKARGS=“deny=4 unlock_time=1200”
FORCELEGACY=no
FORCESMARTCARD=no
IPADOMAINJOINED=no
IPAV2NONTP=no
PASSWDALGORITHM=sha512
USEDB=no
USEECRYPTFS=no
USEFAILLOCK=no
USEFPRINTD=no
USEHESIOD=no
USEIPAV2=no
USEKERBEROS=no
USELDAP=no
USELDAPAUTH=no
USELOCAUTHORIZE=yes
USEMKHOMEDIR=yes
USENIS=no
USEPAMACCESS=no
USEPASSWDQC=no
USEPWQUALITY=yes
USESHADOW=yes
USESMARTCAR=no
USESSSD=yes
USESSSDAUTH=yes
USESYSNETAUTH=no
USEWINBIND=no
USEWINBINDAUTH=no
WINBINDKRB5=no

And it seems like your!
…and now?

Enrico · October 30, 2018, 1:06pm

Now I can access in eJabberd admin webpage and in pidgin like jabber client! Yesss!!!
Have I to save something?

davidep · October 30, 2018, 1:23pm

It’s all ok: authconfig writes the required config files.

I didn’t understand why it failed.

Please, make sure the configuration survives after rebooting the system.

Enrico · October 30, 2018, 1:53pm

Ok, at this time I can’t reboot the server, but I can do it tomorrow morning!

Enrico · October 30, 2018, 3:55pm

I restarted the server, and the configuration survives after rebooting!
Thanks a lot Davide! I owe you a beer!!!

davidep · October 30, 2018, 5:42pm

You’re welcome!

Please set the solution