Hi,
We are having some trouble authenticating users via SSSD. Server has an established JOIN
with the DC and we are able to use “id” and “getent passwd” without any issues. But
authentication fails with the following messages:
Jul 12 08:38:19 hostname sshd[25967]: pam_sss(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=rhost.x.y.local user=first.last
Jul 12 08:38:19 hostname sshd[25967]: pam_sss(sshd:auth): received for user first.last: 4
(System error)
Jul 12 08:38:21 hostname sshd[25963]: error: PAM: Permission denied for first.last from
rhost.x.y.local
Under krb5_child.log, we see the following even though the user is a member of one of the
groups added under “ad_access_filter”
(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_send_pac] (0x0040):
sss_pac_make_request failed [-1][2].
(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [validate_tgt] (0x0040):
sss_send_pac failed, group membership for user with principal
[first.last\@COMPANY.COM(a)X.Y.LOCAL] might not be correct.
(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_child_krb5_trace_cb]
(0x4000): [25625] 1499864410.696457: Destroying ccache MEMORY:rd_req2
(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]]
[sss_get_ccache_name_for_principal] (0x4000): Location:
[FILE:/tmp/krb5cc_233006683_XXXXXX]
(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]]
[sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed:
[-1765328243][Can't find client principal first.last(a)X.Y.LOCAL in cache collection]
(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [create_ccache] (0x0020): 733:
[13][Permission denied]
(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [map_krb5_error] (0x0020): 1301:
[1432158209][Unknown code UUz 1]
(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [k5c_send_data] (0x0200): Received
error code 1432158209
[root@hostname sssd]# net ads testjoin
Join is OK
[root@hostname sssd]# net ads info
LDAP server: X.X.90.128
LDAP server name: AD-Server.x.y.local
Realm: X.Y.LOCAL
Bind Path: dc=X,dc=Y,dc=LOCAL
LDAP port: 389
Server time: Wed, 12 Jul 2017 09:03:08 CDT
KDC server: X.X.90.128
Server time offset: 0
Last machine account password change: Wed, 12 Jul 2017 07:41:59 CDT
SSSD Configuration:
[sssd]
domains = X.Y.LOCAL
services = nss, pam, sudo
config_file_version = 2
debug_level = 0
[nss]
[pam]
[sudo]
debug_level=2
[domain/x.y.local]
debug_level=2
ad_server = AD-Server.x.y.local
auth_provider = ad
access_provider = ad
ldap_id_mapping = true
ldap_use_tokengroups = true
krb5_realm = X.Y.LOCAL
ldap_access_order = filter, expire
ldap_account_expire_policy = ad
ad_access_filter = …….
cache_credentials = true
override_homedir = /home/%d/%u
default_shell = /bin/bash
ldap_schema = ad
Attached are sssd_x.y.local, krb5_child.log & ldap_child.log (level 10)
Also tried with ad_gpo_access_control = permissive & access_provider = permit but
that didn’t allow auth either.
Any suggestions are highly appreciated.
Thanks in advance,
~ Abhi