Hi,

 

We are having some trouble authenticating users via SSSD. Server has an established JOIN with the DC and we are able to use “id” and “getent passwd” without any issues. But authentication fails with the following messages:

 

Jul 12 08:38:19 hostname sshd[25967]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhost.x.y.local user=first.last

Jul 12 08:38:19 hostname sshd[25967]: pam_sss(sshd:auth): received for user first.last: 4 (System error)

Jul 12 08:38:21 hostname sshd[25963]: error: PAM: Permission denied for first.last from rhost.x.y.local

 

 

Under krb5_child.log, we see the following even though the user is a member of one of the groups added under “ad_access_filter”

 

(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].

(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last\@COMPANY.COM@X.Y.LOCAL] might not be correct.

(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_child_krb5_trace_cb] (0x4000): [25625] 1499864410.696457: Destroying ccache MEMORY:rd_req2

(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_233006683_XXXXXX]

(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal first.last@X.Y.LOCAL in cache collection]

(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [create_ccache] (0x0020): 733: [13][Permission denied]

(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [map_krb5_error] (0x0020): 1301: [1432158209][Unknown code UUz 1]

(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [k5c_send_data] (0x0200): Received error code 1432158209

 

 

[root@hostname sssd]# net ads testjoin

Join is OK

[root@hostname sssd]# net ads info

LDAP server: X.X.90.128

LDAP server name: AD-Server.x.y.local

Realm: X.Y.LOCAL

Bind Path: dc=X,dc=Y,dc=LOCAL

LDAP port: 389

Server time: Wed, 12 Jul 2017 09:03:08 CDT

KDC server: X.X.90.128

Server time offset: 0

Last machine account password change: Wed, 12 Jul 2017 07:41:59 CDT

 

 

SSSD Configuration:

 

[sssd]

domains = X.Y.LOCAL

services = nss, pam, sudo

config_file_version = 2

debug_level = 0

[nss]

[pam]

[sudo]

debug_level=2

[domain/x.y.local]

debug_level=2

ad_server = AD-Server.x.y.local

auth_provider = ad

access_provider = ad

ldap_id_mapping = true

ldap_use_tokengroups = true

krb5_realm = X.Y.LOCAL

ldap_access_order = filter, expire

ldap_account_expire_policy = ad

 

ad_access_filter = …….

 

cache_credentials = true

override_homedir = /home/%d/%u

default_shell = /bin/bash

ldap_schema = ad

 

Attached are sssd_x.y.local, krb5_child.log & ldap_child.log (level 10)

 

Also tried with ad_gpo_access_control = permissive & access_provider = permit but that didn’t allow auth either.

 

Any suggestions are highly appreciated.

 

Thanks in advance,

 

~ Abhi