I’ve been struggling to get SSH to work with an AD user for over 3 weeks now. I've scraped the bowels of the internet for answers, still no dice.

The issue is pretty simple in itself, I can’t SSH to a freeipa joined Centos client 7.3 with an AD user. However, kinit with any AD users as well as su works just fine. I’m running two 4.4.0 IPA servers.

I made sure the entire setup is resolving DNS properly, NTP(external to freeipa) is in sync. I’m using FQDN for hostnames.

Here’s the output from journalctl -f:

Jul 27 04:37:10 centos.ipa.ad.com sshd[2633]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 27 04:37:35 centos.ipa.ad.com su[2652]: (to admin@ad.com) root on pts/1
Jul 27 04:37:35 centos.ipa.ad.com su[2652]: pam_unix(su-l:session): session opened for user admin@ad.com by root(uid=0)
Jul 27 04:37:42 centos.ipa.ad.com su[2652]: pam_unix(su-l:session): session closed for user admin@ad.com
Jul 27 04:38:35 centos.ipa.ad.com sshd[2677]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruse  r= rhost=localhost user=admin@ad.com
Jul 27 04:38:35 centos.ipa.ad.com sshd[2677]: pam_sss(sshd:auth): received for user admin@ad.com: 6 (Permission denied)
Jul 27 04:38:35 centos.ipa.ad.com sshd[2674]: error: PAM: Authentication failure for admin@ad.com from localhost
Jul 27 04:38:38 centos.ipa.ad.com sshd[2674]: Connection closed by ::1 [preauth]

 

Config files:

/etc/krb5.conf

#File modified by ipa-client-install

includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = IP.AD.COM  
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}
[realms]
  IP.AD.COM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt

  }

/etc/sssd/sssd.conf

[domain/ipa.ad.com]
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.ad.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = centos.ipa.ad.com
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ipaserver02.ipa.ad.com
dyndns_iface = ens192
ldap_tls_cacert = /etc/ipa/ca.crt[sssd]
services = nss, sudo, pam, ssh
debug_level = 9
domains = ipa.ad.com

[nss]
homedir_substring = /home 

[pam]
debug_level= 9

[sudo]

[autofs]

[ssh]
debug_level=9

[pac]

[ifp]

 

/etc/ssh/sshd_config

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
PermitRootLogin yes
AuthorizedKeysFile      .ssh/authorized_keys
GSSAPICleanupCredentials no
X11Forwarding yes
UsePrivilegeSeparation sandbox          # Default for new installations.
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem       sftp    /usr/libexec/openssh/sftp-server
KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
GSSAPIAuthentication yes
ChallengeResponseAuthentication yes
AuthorizedKeysCommandUser nobody

 
I uploaded krb5_child.log and ldap_child.log to https://1drv.ms/f/s!AlZwwyQE2ZZ5p2b5ROa15PBkAEQD