I’ve been struggling to get SSH to work with an AD user for over 3 weeks now. I've scraped the bowels of the internet for answers, still no dice.
The issue is pretty simple in itself, I can’t SSH to a freeipa joined Centos client 7.3 with an AD user. However, kinit with any AD users as well as su works just fine. I’m running two 4.4.0 IPA servers.
I made sure the entire setup is resolving DNS properly, NTP(external to freeipa) is in sync. I’m using FQDN for hostnames.
Here’s the output from journalctl -f:
Jul 27 04:37:10 centos.ipa.ad.com sshd[2633]:
pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 27 04:37:35 centos.ipa.ad.com su[2652]: (to
admin@ad.com) root on pts/1
Jul 27 04:37:35 centos.ipa.ad.com su[2652]:
pam_unix(su-l:session): session opened for user admin@ad.com by root(uid=0)
Jul 27 04:37:42 centos.ipa.ad.com su[2652]:
pam_unix(su-l:session): session closed for user admin@ad.com
Jul 27 04:38:35 centos.ipa.ad.com sshd[2677]:
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruse r= rhost=localhost
user=admin@ad.com
Jul 27 04:38:35 centos.ipa.ad.com sshd[2677]:
pam_sss(sshd:auth): received for user admin@ad.com: 6 (Permission denied)
Jul 27 04:38:35 centos.ipa.ad.com sshd[2674]: error: PAM:
Authentication failure for admin@ad.com from localhost
Jul 27 04:38:38 centos.ipa.ad.com sshd[2674]: Connection
closed by ::1 [preauth]
Config files:
/etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = IP.AD.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IP.AD.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
/etc/sssd/sssd.conf
[domain/ipa.ad.com]
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.ad.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = centos.ipa.ad.com
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ipaserver02.ipa.ad.com
dyndns_iface = ens192
ldap_tls_cacert = /etc/ipa/ca.crt[sssd]
services = nss, sudo, pam, ssh
debug_level = 9
domains = ipa.ad.com