Hi Expert,
1. Environment
* Windows Server 2012 R2 Active Directory.
* sudoRule schema extended
* CentOS 7.3 (1611) Client, joined to domain by using realm
* selinux -> permissive
2. Configuration file
* sssd.conf
[sssd]
domains =
mydomain.com
config_file_version = 2
services = nss, pam, sudo
[
domain/mydomain.com]
ad_domain =
mydomain.com
krb5_realm =
MYDOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
ad_gpo_access_control = enforcing
* smb.conf
[global]
workgroup = SAMBA
security = user
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775
* nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
sudoers: files sss
3. problem description
* after joining the CentOS7 to Active Directory domain , it's not stable that a
domain user logon to the machina via ssh.
* /var/log/secure show
Jul 10 17:37:47 MyIssueMachine sshd[42400]: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.150.15 user=MyUser(a)mydomain.com
Jul 10 17:37:47 MyIssueMachine sshd[42400]: pam_sss(sshd:account): Access denied for user
MyUser(a)mydomain.com: 4 (System error)
Jul 10 17:37:47 MyIssueMachine sshd[42400]: Failed password for MyUser(a)mydomain.com from
192.168.150.15 port 51594 ssh2
Jul 10 17:37:47 MyIssueMachine sshd[42400]: fatal: Access denied for user
MyUser(a)mydomain.com by PAM account configuration [preauth]
*
/var/log/sssd/sssd_pam.log
(Mon Jul 10 16:02:24 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4
(System
error)][mydomain.com]
(Mon Jul 10 16:02:24 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result
[4]: System error.
(Mon Jul 10 16:02:24 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 30
(Mon Jul 10 16:02:24 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for
client [0x7fe3abac60a0][23]
(Mon Jul 10 16:02:24 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for
client [0x7fe3abac60a0][23]
(Mon Jul 10 16:02:24 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Mon Jul 10 16:02:24 2017) [sssd[pam]] [client_close_fn] (0x2000): Terminated client
[0x7fe3abac60a0][23]
Thanks in advance!