PLatform is RHEL 6 Update 6.
Relevent RPMS are :
sssd-ad-1.11.6-30.el6.x86_64
krb5-workstation-1.10.3-33.el6.x86_64
Pam was setup using " authconfig --enablesssd --enablesssdauth
--enablemkhomedir --update"
I have test users successfully authenticating against a test domain server
with both the test linux RHEL6U6 box and the Windows 2008R2 AD server on
an isolated subnet.
After I login to the RHEL6U6 box with an AD user via either ssh, or via
the console I cannot run 'su - <username>' to any other user, either AD
based or local password file based. All I get is a 'incorrect password'
error message.
My sssd.conf:
[sssd]
config_file_version = 2
domains = CORPTEST.LOCAL
services = nss, pam
debug_level = 10
timeout = 300
[domain/CORPTEST.LOCAL]
id_provider = ad
auth_provider = ad
access_provider = ad
debug_level = 10
ldap_id_mapping = False
default shell = /bin/bash
fallback_homedir = /home/%u
use_fully_qualified_names = False
nsswitch.conf has these lines for passwd, shadow and group:
passwd: files sss
shadow: files sss
group: files sss
/etc/pam.d/system-auth-ac (not hand edited at all)
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 minlen=14
dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
The sssd-ad package in rhel6 update 6 is fairly new and as such I've been
able to find limited web resources about its config directives.
Any help you can provide will be appreciated.
Cheers,
Chris
Show replies by date