Thanks Sumit and Jakub!
I looked up the link Jakub provided and found:
I'm receiving Access denied for user $user: 6 (Permission denied)
Authentication went fine, but the user was denied access to the client
machine. You can temporarily disable access control with setting
access_provider=permit temporarily.
Don't forget to reset the access provider to a stricter setting after
finding out the root cause!
If disabling access control doesn't help, the account might be locked on
the server side. Check the SSSD domain logs to find out more.
So, as mentioned, I'll give "access_provider=permit" and give that a
try!
*I'm sure I'll be following up with logs files.
Thanks for the prompt reply!!!!
Sterling
------ Original Message ------
From: "Sumit Bose" <sbose(a)redhat.com>
To: "Sterling Sahaydak" <sterling.sahaydak(a)pi-coral.com>; "End-user
discussions about the System Security Services Daemon"
<sssd-users(a)lists.fedorahosted.org>
Sent: 4/28/2015 12:03:29 PM
Subject: Re: [SSSD-users] SSH - sssd: PAM: do_pam_account pam_acct_mgmt
= 6 (Permission denied)
On Tue, Apr 28, 2015 at 03:11:09PM +0000, Sterling Sahaydak wrote:
> I'm setup in Centos 6.6 with sssd 1.11.6 using openldap and openldap
>proxy
> to Active Directory.
>
> I have working getent passwd <username> and getent group <group
>name>, id
> <username> etc. not a problem.
>
> So, trying to get ssh to work as well.
>
>
> *** I keep running in the issue:
>
> "PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)"
>
> and unclear of how to resolve this!
>
> I've listed below:
>
> *sssd.conf
> *password-auth-ac
> *sshd
> *sshd log
>
>
>
> Any help/suggestions is GREATLY appreciated!!!
>
> Sterling
>
>
> sssd.conf:
>
> [root@ldap sssd]# cat sssd.conf
> [domain/default]
>
> ldap_id_use_start_tls = True
> cache_credentials = True
> ldap_search_base = dc=example,dc=com
> id_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
> ldap_uri =
ldaps://ldap.va.example.com
> ldap_tls_cacertdir = /etc/pki/tls/certs
>
> [sssd]
> config_file_version = 2
> services = nss, pam, sudo
> domains = LDAP
>
> [nss]
> filter_users = root
> filter_groups = root
>
> [pam]
>
> [sudo]
>
>
> [domain/LDAP]
> access_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
> id_provider = ldap
> sudo_provider = ldap
> debug_level = 9
> cache_credentials = true
> enumerate = false
>
>
> ldap_uri =
ldaps://ad-va.ad.example.com
> ldap_default_bind_dn =
> cn=accessacct,ou=serviceaccounts,ou=example,dc=ad,dc=example,dc=com
> ldap_default_authtok_type = password
> ldap_default_authtok = <password here!>
>
>
> ldap_access_filter = ou=example,dc=ad,dc=example,dc=com
Please check the ldap_access_filter entry in the sssd-ldap man page.
The
value of the option it put into a LDAP search filter, what you have
given is a LDAP DN. I would suggest to try with
access_provider = permit
first, which always allows access and then try to restrict access with
a
different access provider. Besides the LDAP access provider you might
want to consider the simple access provider for a start as well.
That said, log files as Jakub already mentioned, are always useful to
identify your issue even more closely.
HTH
bye,
Sumit
> ldap_search_base = dc=ad,dc=example,dc=com
>
> ldap_schema = rfc2307bis
>
> ldap_user_principal = userPrincipalName
> ldap_user_fullname = displayName
> ldap_user_name = sAMAccountName
> ldap_user_object_class = user
> ldap_user_home_directory = unixHomeDirectory
> ldap_user_shell = loginShell
> ldap_user_uid_number = uidNumber
> ldap_user_objectsid = objectSid
>
> ldap_group_object_class = group
> ldap_group_objectsid = objectSid
> ldap_group_member = member
>
> ldap_sudo_search_base = ou=sudoers,dc=ad,dc=example,dc=com
>
>
> ldap_tls_cacert = /etc/pki/tls/certs/certificatename.crt
>
>
> [root@ldap pam.d]# cat password-auth-ac
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_sss.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so sha512 shadow nullok
>try_first_pass
> use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session optional pam_mkhomedir.so umask=0022 skel=/etc/skel/
> session [success=1 default=ignore] pam_succeed_if.so service in
>crond
> quiet use_uid
> session optional pam_sss.so
> session required pam_unix.so
>
>
>
> [root@ldap pam.d]# cat sshd
> #%PAM-1.0
> auth required pam_sepermit.so
> auth include password-auth
> account required pam_nologin.so
> account include password-auth
> password include password-auth
> session required pam_selinux.so close
> session required pam_loginuid.so
> session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
> session required pam_selinux.so open env_params
> session optional pam_keyinit.so force revoke
> session include password-auth
>
>
> Here is my log:
>
> [root@ldap ~]# /usr/sbin/sshd -D -ddd
> debug2: load_server_config: filename /etc/ssh/sshd_config
> debug2: load_server_config: done config len = 602
> debug2: parse_server_config: config /etc/ssh/sshd_config len 602
> debug3: /etc/ssh/sshd_config:21 setting Protocol 2
> debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTHPRIV
> debug3: /etc/ssh/sshd_config:43 setting PermitRootLogin
>without-password
> debug3: /etc/ssh/sshd_config:65 setting PasswordAuthentication yes
> debug3: /etc/ssh/sshd_config:71 setting
>ChallengeResponseAuthentication no
> debug3: /etc/ssh/sshd_config:74 setting KerberosAuthentication no
> debug3: /etc/ssh/sshd_config:81 setting GSSAPIAuthentication no
> debug3: /etc/ssh/sshd_config:98 setting UsePAM yes
> debug3: /etc/ssh/sshd_config:101 setting AcceptEnv LANG LC_CTYPE
>LC_NUMERIC
> LC_TIME LC_COLLATE LC_MONETARY LC_MESSAG
> debug3: /etc/ssh/sshd_config:102 setting AcceptEnv LC_PAPER LC_NAME
> LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> debug3: /etc/ssh/sshd_config:103 setting AcceptEnv LC_IDENTIFICATION
>LC_ALL
> LANGUAGE
> debug3: /etc/ssh/sshd_config:104 setting AcceptEnv XMODIFIERS
> debug3: /etc/ssh/sshd_config:109 setting X11Forwarding no
> debug3: /etc/ssh/sshd_config:133 setting Subsystem sftp
> /usr/libexec/openssh/sftp-server
> debug3: /etc/ssh/sshd_config:140 setting UseDNS no
> debug1: sshd version OpenSSH_5.3p1
> debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
> debug1: read PEM private key done: type RSA
> debug1: private host key: #0 type 1 RSA
> debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
> debug1: read PEM private key done: type DSA
> debug1: private host key: #1 type 2 DSA
> debug1: rexec_argv[0]='/usr/sbin/sshd'
> debug1: rexec_argv[1]='-D'
> debug1: rexec_argv[2]='-ddd'
> debug3: oom_adjust_setup
> Set /proc/self/oom_score_adj from 0 to -1000
> debug2: fd 3 setting O_NONBLOCK
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> debug2: fd 4 setting O_NONBLOCK
> debug1: Bind to port 22 on ::.
> Server listening on :: port 22.
> debug3: fd 5 is not O_NONBLOCK
> debug1: Server will not fork when running in debugging mode.
> debug3: send_rexec_state: entering fd = 8 config len 602
> debug3: ssh_msg_send: type 0
> debug3: send_rexec_state: done
> debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
> debug1: inetd sockets after dupping: 3, 3
> Connection from 10.41.0.145 port 42145
> debug1: Client protocol version 2.0; client software version
>OpenSSH_5.3
> debug1: match: OpenSSH_5.3 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.3
> debug2: fd 3 setting O_NONBLOCK
> debug2: Network child is on pid 28180
> debug3: preauth child monitor started
> debug3: mm_request_receive entering
> debug3: privsep user:group 74:74
> debug1: permanently_set_uid: 74/74
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug3: Wrote 840 bytes for a total of 861
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
>diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-gr
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
>aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c
> debug2: kex_parse_kexinit:
>aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c
> debug2: kex_parse_kexinit:
>hmac-md5,hmac-sha1,umac-64(a)openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri
> debug2: kex_parse_kexinit:
>hmac-md5,hmac-sha1,umac-64(a)openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri
> debug2: kex_parse_kexinit: none,zlib(a)openssh.com
> debug2: kex_parse_kexinit: none,zlib(a)openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
>diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-gr
> debug2: kex_parse_kexinit:
>ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00(a)openssh.com,ss
> debug2: kex_parse_kexinit:
>aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c
> debug2: kex_parse_kexinit:
>aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c
> debug2: kex_parse_kexinit:
>hmac-md5,hmac-sha1,umac-64(a)openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri
> debug2: kex_parse_kexinit:
>hmac-md5,hmac-sha1,umac-64(a)openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri
> debug2: kex_parse_kexinit: none,zlib(a)openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib(a)openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug3: mm_request_send entering: type 78
> debug3: monitor_read: checking request 78
> debug3: mm_request_send entering: type 79
> debug3: mm_request_receive entering
> debug3: mm_request_receive_expect entering: type 79
> debug3: mm_request_receive entering
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug3: mm_request_send entering: type 78
> debug3: monitor_read: checking request 78
> debug3: mm_request_send entering: type 79
> debug3: mm_request_receive entering
> debug3: mm_request_receive_expect entering: type 79
> debug3: mm_request_receive entering
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> debug3: mm_request_send entering: type 0
> debug3: monitor_read: checking request 0
> debug3: mm_answer_moduli: got parameters: 1024 1024 8192
> debug3: mm_request_send entering: type 1
> debug2: monitor_read: 0 used once, disabling now
> debug3: mm_request_receive entering
> debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
> debug3: mm_request_receive_expect entering: type 1
> debug3: mm_request_receive entering
> debug3: mm_choose_dh: remaining 0
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> debug3: Wrote 152 bytes for a total of 1013
> debug2: dh_gen_key: priv key bits set: 137/256
> debug2: bits set: 484/1024
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> debug2: bits set: 518/1024
> debug3: mm_key_sign entering
> debug3: mm_request_send entering: type 5
> debug3: monitor_read: checking request 5
> debug3: mm_answer_sign
> debug3: mm_answer_sign: signature 0x7f74f925a0d0(271)
> debug3: mm_request_send entering: type 6
> debug2: monitor_read: 5 used once, disabling now
> debug3: mm_request_receive entering
> debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
> debug3: mm_request_receive_expect entering: type 6
> debug3: mm_request_receive entering
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug3: Wrote 720 bytes for a total of 1733
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug3: Wrote 48 bytes for a total of 1781
> debug1: userauth-request for user abrown service ssh-connection
>method none
> debug1: attempt 0 failures 0
> debug3: mm_getpwnamallow entering
> debug3: mm_request_send entering: type 7
> debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
> debug3: mm_request_receive_expect entering: type 8
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 7
> debug3: mm_answer_pwnamallow
> debug2: parse_server_config: config reprocess config len 602
> debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
> debug3: mm_request_send entering: type 8
> debug2: monitor_read: 7 used once, disabling now
> debug3: mm_request_receive entering
> debug2: input_userauth_request: setting up authctxt for abrown
> debug3: mm_start_pam entering
> debug3: mm_request_send entering: type 50
> debug3: mm_inform_authserv entering
> debug3: mm_request_send entering: type 3
> debug3: mm_inform_authrole entering
> debug3: mm_request_send entering: type 4
> debug2: input_userauth_request: try method none
> debug3: Wrote 64 bytes for a total of 1845
> debug3: monitor_read: checking request 50
> debug1: PAM: initializing for "abrown"
> debug1: PAM: setting PAM_RHOST to "10.41.0.145"
> debug1: PAM: setting PAM_TTY to "ssh"
> debug2: monitor_read: 50 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 3
> debug3: mm_answer_authserv: service=ssh-connection, style=
> debug2: monitor_read: 3 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 4
> debug3: mm_answer_authrole: role=
> debug2: monitor_read: 4 used once, disabling now
> debug3: mm_request_receive entering
> debug1: userauth-request for user abrown service ssh-connection
>method
> password
> debug1: attempt 1 failures 0
> debug2: input_userauth_request: try method password
> debug3: mm_auth_password entering
> debug3: mm_request_send entering: type 11
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> debug3: mm_request_receive_expect entering: type 12
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 11
> debug3: PAM: sshpam_passwd_conv called with 1 messages
> debug1: PAM: password authentication accepted for abrown
> debug3: mm_answer_authpassword: sending result 1
> debug3: mm_request_send entering: type 12
> debug3: mm_request_receive_expect entering: type 51
> debug3: mm_request_receive entering
> debug3: mm_auth_password: user authenticated
> debug3: mm_do_pam_account entering
> debug3: mm_request_send entering: type 51
> debug3: mm_request_receive_expect entering: type 52
> debug3: mm_request_receive entering
> debug1: do_pam_account: called
> debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
> debug3: mm_request_send entering: type 52
> Failed password for abrown from 10.41.0.145 port 42145 ssh2
> debug3: mm_do_pam_account returning 0
> Access denied for user abrown by PAM account configuration
> debug1: do_cleanup
> debug3: PAM: sshpam_thread_cleanup entering
> debug3: mm_request_send entering: type 80
> debug3: mm_request_receive_expect entering: type 81
> debug3: mm_request_receive entering
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 80
> debug3: mm_request_send entering: type 81
> debug3: mm_request_receive entering
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug3: PAM: sshpam_thread_cleanup entering
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users