Ocserv+2FA = Cannot get stat of SSSD socket

Description of problem:

Hello, we use ocserv with ldap authorization. Now i try to activate 2fa with google_authenticator and have a problem. With google_auth enabled in /etc/pam.d/ocserv 2fa works well, but in random period of time ocserv starts to fail sss_pam auth with error "Request to sssd failed. Cannot get stat of SSSD socket". Restart of ocserv helps but problem appears soon again.

Version of ocserv used:

ocserv 1.1.6 Compiled with: seccomp, oath, radius, gssapi, PAM, PKCS#11, AnyConnect GnuTLS version: 3.7.7 (compiled with 3.6.15)

Client used:

Cisco AnyConnect v4.9.04043

Distributor of ocserv

ALt Linux c9f1

How reproducible:

journalctl -u ocserv

Apr 10 09:25:41 server ocserv[1138682]: ocserv[1138682]: worker: 142.250.184.206 User-agent: 'AnyConnect Windows 4.9.04043'
Apr 10 09:25:41 server ocserv[1138682]: ocserv[1138682]: worker: 142.250.184.206 Detected Cisco AnyConnect
Apr 10 09:25:41 server ocserv[1138682]: ocserv[1138682]: worker[vpnuser]: 142.250.184.206 sending message 'sm: auth init' to secmod
Apr 10 09:25:41 server ocserv[1138682]: worker: 142.250.184.206 User-agent: 'AnyConnect Windows 4.9.04043'
Apr 10 09:25:41 server ocserv[1138682]: worker: 142.250.184.206 Detected Cisco AnyConnect
Apr 10 09:25:41 server ocserv[1138682]: worker[vpnuser]: 142.250.184.206 sending message 'sm: auth init' to secmod
Apr 10 09:25:41 server [1134709]: sec-mod: received request from pid 1138682 and uid 484
Apr 10 09:25:41 server [1134709]: sec-mod: cmd [size=116] sm: auth init
Apr 10 09:25:41 server [1134709]: sec-mod: sec-mod instance 0 issue cookie
Apr 10 09:25:41 server [1134709]: sec-mod: using 'pam' authentication to authenticate user (session: ddJijq)
Apr 10 09:25:41 server [1134709]: sec-mod: auth init for user 'vpnuser' (session: ddJijq) of group: '' from '142.250.184.206'
Apr 10 09:25:41 server [1134709]: PAM-auth conv: echo-off, msg: 'Verification code: '
Apr 10 09:25:41 server ocserv[1138682]: worker[vpnuser]: 142.250.184.206 received auth reply message (value: 2)
Apr 10 09:25:41 server ocserv[1138682]: ocserv[1138682]: worker[vpnuser]: 142.250.184.206 received auth reply message (value: 2)
Apr 10 09:25:41 server ocserv[1138682]: ocserv[1138682]: worker[vpnuser]: 142.250.184.206 continuing authentication for 'vpnuser'
Apr 10 09:25:41 server ocserv[1138682]: worker[vpnuser]: 142.250.184.206 continuing authentication for 'vpnuser'
Apr 10 09:25:45 server ocserv[1138682]: ocserv[1138682]: worker[vpnuser]: 142.250.184.206 User-agent: 'AnyConnect Windows 4.9.04043'
Apr 10 09:25:45 server ocserv[1138682]: ocserv[1138682]: worker[vpnuser]: 142.250.184.206 Detected Cisco AnyConnect
Apr 10 09:25:45 server ocserv[1138682]: ocserv[1138682]: worker[vpnuser]: 142.250.184.206 sending message 'sm: auth cont' to secmod
Apr 10 09:25:45 server ocserv[1138682]: worker[vpnuser]: 142.250.184.206 User-agent: 'AnyConnect Windows 4.9.04043'
Apr 10 09:25:45 server ocserv[1138682]: worker[vpnuser]: 142.250.184.206 Detected Cisco AnyConnect
Apr 10 09:25:45 server ocserv[1138682]: worker[vpnuser]: 142.250.184.206 sending message 'sm: auth cont' to secmod
Apr 10 09:25:45 server [1134709]: sec-mod: received request from pid 1138682 and uid 484
Apr 10 09:25:45 server [1134709]: sec-mod: cmd [size=58] sm: auth cont
Apr 10 09:25:45 server [1134709]: sec-mod: auth cont for user 'vpnuser' (session: ddJijq)
**Apr 10 09:25:45 server [1134709]: pam_sss(ocserv:auth): Request to sssd failed. Cannot get stat of SSSD socket.**
Apr 10 09:25:45 server [1134709]: PAM-auth conv: echo-off, msg: 'Password: '
Apr 10 09:25:45 server ocserv[1138682]: ocserv[1138682]: worker[vpnuser]: 142.250.184.206 received auth reply message (value: 2)
Apr 10 09:25:45 server ocserv[1138682]: ocserv[1138682]: worker[vpnuser]: 142.250.184.206 continuing authentication for 'vpnuser'
Apr 10 09:25:45 server ocserv[1138682]: worker[vpnuser]: 142.250.184.206 received auth reply message (value: 2)
Apr 10 09:25:45 server ocserv[1138682]: worker[vpnuser]: 142.250.184.206 continuing authentication for 'vpnuser'
Apr 10 09:25:49 server ocserv[1138682]: ocserv[1138682]: worker[vpnuser]: 142.250.184.206 User-agent: 'AnyConnect Windows 4.9.04043'
Apr 10 09:25:49 server ocserv[1138682]: ocserv[1138682]: worker[vpnuser]: 142.250.184.206 Detected Cisco AnyConnect
Apr 10 09:25:49 server ocserv[1138682]: ocserv[1138682]: worker[vpnuser]: 142.250.184.206 sending message 'sm: auth cont' to secmod
Apr 10 09:25:49 server ocserv[1138682]: worker[vpnuser]: 142.250.184.206 User-agent: 'AnyConnect Windows 4.9.04043'
Apr 10 09:25:49 server ocserv[1138682]: ocserv[1138682]: worker[vpnuser]: 142.250.184.206 received auth reply message (value: 3)
Apr 10 09:25:49 server ocserv[1138682]: ocserv[1138682]: worker[vpnuser]: 142.250.184.206 worker-auth.c:1725: failed authentication for 'vpnuser'
Apr 10 09:25:49 server ocserv[1138682]: worker[vpnuser]: 142.250.184.206 Detected Cisco AnyConnect
Apr 10 09:25:49 server ocserv[1134707]: ocserv[1134707]: main:142.250.184.206:56555 worker terminated
Apr 10 09:25:49 server ocserv[1134707]: ocserv[1134707]: main:142.250.184.206:56555 user disconnected (reason: unspecified, rx: 0, tx: 0)
Apr 10 09:25:49 server ocserv[1134707]: ocserv[1134707]: main: main received message 'sm: ban IP' from sec-mod of 52 bytes
Apr 10 09:25:49 server ocserv[1134707]: ocserv[1134707]: main: added 10 points (total 43) for IP '142.250.184.206' to ban list
Apr 10 09:25:49 server ocserv[1138682]: worker[vpnuser]: 142.250.184.206 sending message 'sm: auth cont' to secmod
Apr 10 09:25:49 server [1134709]: sec-mod: received request from pid 1138682 and uid 484
Apr 10 09:25:49 server [1134709]: sec-mod: cmd [size=65] sm: auth cont
Apr 10 09:25:49 server [1134709]: sec-mod: auth cont for user 'vpnuser' (session: ddJijq)
**Apr 10 09:25:49 server [1134709]: pam_sss(ocserv:auth): Request to sssd failed. Cannot get stat of SSSD socket.**
**Apr 10 09:25:49 server [1134709]: PAM authenticate error for 'vpnuser': Authentication service cannot retrieve authentication info**
**Apr 10 09:25:49 server [1134709]: PAM-auth pam_auth_pass: Authentication service cannot retrieve authentication info**
**Apr 10 09:25:49 server [1134709]: sec-mod: error in password given in auth cont for user 'vpnuser' (session: ddJijq)**

# cat /etc/pam.d/ocserv
#%PAM-1.0
auth    required        pam_google_authenticator.so
auth    required        pam_access.so accessfile=/etc/ocserv/deniedusers
auth            include         system-auth
account         required        pam_nologin.so
account         include         system-auth
session         include         system-auth

# cat /etc/ocserv/ocserv.conf | grep auth
auth = "pam"
...

SSSD looks fine and restart sssd service doesn't solve the problem. Only "systemctl restart ocserv" helps.

Edited Apr 13, 2023 by plakun