Hi Jakub,
ldap_id_mapping was set to "false" on this server. Once I set it to "true", both id and getent started working. But the user authentication via SSH still does not go through.
We see the following in SSSD logs(Debug level set to 5)
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=first.last]
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC'
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://RODC.x.y.local'
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://RODC.x.y.local:3268'
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6]
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/server_hostname.x.y.local
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [17466] finished successfully.
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'RODC.x.y.local' as 'working'
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [set_server_common_status] (0x0100): Marking server 'RODC.x.y.local' as 'working'
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x0080): Domain not found for SID S-1-5-21-<....ID....>
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler] (0x0100): Got request with the following data
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): domain: x.y.local
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): user: first.last
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): service: sshd
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): tty: ssh
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): ruser:
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): rhost: remote_host.x.y.local
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): authtok type: 1
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): priv: 1
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): cli_pid: 17465
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): logon name: not set
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [krb5_auth_send] (0x0100): Home directory for user [first.last] not known.
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://RODC.x.y.local'
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://RODC.x.y.local'
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success]
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Sending result [4][x.y.local]
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Sent result [4][x.y.local]
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [17467] finished successfully.
And the following under /var/log/secure
Feb 20 11:15:30 hostname sshd[17499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local user=first.last
Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local user=first.last
Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): received for user first.last: 4 (System error)
Feb 20 11:15:37 hostname sshd[17496]: error: PAM: Authentication failure for first.last from remote_host.x.y.local
Under krb5_child.log(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer] (0x0100): cmd [241] uid [xxxxxxxx] gid [yyyyyyyy] validate [true] enterprise principal [true] offline [false] UPN [
first.last@COMPANY.COM]
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:xxxxxxxx] old_ccname: [not set] keytab: [/etc/krb5.keytab]
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [check_use_fast] (0x0100): Not using FAST.
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [become_user] (0x0200): Trying to become user [xxxxxxxx][yyyyyyyy].
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last\@COMPANY.COM@x.y.local] might not be correct.
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [create_ccache] (0x0020): 733: [13][Permission denied]
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [map_krb5_error] (0x0020): 1301: [1432158209][Unknown code UUz 1]
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [k5c_send_data] (0x0200): Received error code 1432158209
Config for password-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so
auth required pam_deny.so
Many Thanks,
~ Abhi