On Tue, Jan 31, 2017 at 08:12:05PM -0000, namanth(a)gmail.com wrote:
I am trying to diagnose a very weird problem. I have SSSD configured
to connect to my domain. I have this working.
I can log in with a bunch of accounts, but not all accounts.
For instance.
[root@bscacad3 sssd]# getent passwd andersnj01
andersnj01:*:1533736219:1533633217:andersnj01:/home/bsclogon.buffalostate...
Jan 31 14:44:20 bscacad3 sshd[3641]: Accepted password for andersnj01 from
136.183.201.231 port 58620 ssh2
This accounts (andersnj01) can connect. It is in the same domain security group as the
next one.
[root@bscacad3 sssd]# getent passwd kraatzn01
kraatzn01:*:1533844379:1533633217:kraatzn01:/home/bsclogon.buffalostate.e...
Jan 31 14:44:37 bscacad3 sshd[3687]: Failed password for kraatzn01 from 136.183.201.231
port 58624 ssh2
This account (kraatzn01) cannot log in. Again they are in the same security group.
Now to throw another layer on this. When I worked with this person directly and
connected on the machine they were using, I was able to log in with his user/pass one
time. As a matter of fact I could see that account was still logged in until I rebooted
the machine, however when I went back to my machine it would refuse the login.
IPTABLES ports are open. All accounts in one security group can log in, some accounts in
another security group cannot.
The auth line is:
ad_access_filter = (|(memberOf=CN=Linux_FacStaff,OU=Security
Groups,DC=bsclogon,DC=buffalostate,DC=edu)(memberOf=CN=Linux_Student,OU=Security
Groups,DC=bsclogon,DC=buffalostate,DC=edu))
both usernames above are part of the Linux_Student security group.
If you need any other conf files or any info, please let me know and I will respond as
soon as i can.
I think the sssd logs are needed:
https://fedorahosted.org/sssd/wiki/Troubleshooting
Edit: I am sending this again, I am sorry about this. IT says i didnt post anything, and
I do not see it in the list of posted. It this is moderated and it is posted 2 times,
please disregard this one. Again new user, posting on website, sorry for the
inconvenience.
Sorry about that, I think the e-mail must have gotten stuck in the moderation