Hi,
We are having some trouble authenticating users via SSSD. Server has an established JOIN with the DC and we are able to use “id” and “getent passwd” without any issues. But authentication fails with the following messages:
Jul 12 08:38:19 hostname sshd[25967]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhost.x.y.local user=first.last Jul 12 08:38:19 hostname sshd[25967]: pam_sss(sshd:auth): received for user first.last: 4 (System error) Jul 12 08:38:21 hostname sshd[25963]: error: PAM: Permission denied for first.last from rhost.x.y.local
Under krb5_child.log, we see the following even though the user is a member of one of the groups added under “ad_access_filter”
(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last@COMPANY.COM@X.Y.LOCAL] might not be correct. (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_child_krb5_trace_cb] (0x4000): [25625] 1499864410.696457: Destroying ccache MEMORY:rd_req2 (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_233006683_XXXXXX] (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal first.last@X.Y.LOCAL in cache collection] (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [create_ccache] (0x0020): 733: [13][Permission denied] (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [map_krb5_error] (0x0020): 1301: [1432158209][Unknown code UUz 1] (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [k5c_send_data] (0x0200): Received error code 1432158209
[root@hostname sssd]# net ads testjoin Join is OK [root@hostname sssd]# net ads info LDAP server: X.X.90.128 LDAP server name: AD-Server.x.y.local Realm: X.Y.LOCAL Bind Path: dc=X,dc=Y,dc=LOCAL LDAP port: 389 Server time: Wed, 12 Jul 2017 09:03:08 CDT KDC server: X.X.90.128 Server time offset: 0 Last machine account password change: Wed, 12 Jul 2017 07:41:59 CDT
SSSD Configuration:
[sssd] domains = X.Y.LOCAL services = nss, pam, sudo config_file_version = 2 debug_level = 0 [nss] [pam] [sudo] debug_level=2 [domain/x.y.local] debug_level=2 ad_server = AD-Server.x.y.local auth_provider = ad access_provider = ad ldap_id_mapping = true ldap_use_tokengroups = true krb5_realm = X.Y.LOCAL ldap_access_order = filter, expire ldap_account_expire_policy = ad
ad_access_filter = …….
cache_credentials = true override_homedir = /home/%d/%u default_shell = /bin/bash ldap_schema = ad
Attached are sssd_x.y.local, krb5_child.log & ldap_child.log (level 10)
Also tried with ad_gpo_access_control = permissive & access_provider = permit but that didn’t allow auth either.
Any suggestions are highly appreciated.
Thanks in advance,
~ Abhi
My bad.. Should have looked at this before posting..
File permissions for /etc/krb5.conf were 600 for some reason. Changed them back to 644 and that resolved the issue.
Thanks,
~ abhi
On Jul 12, 2017, at 10:27 AM, Abhijit Tikekar abhijittikekar@gmail.com wrote:
Hi,
We are having some trouble authenticating users via SSSD. Server has an established JOIN with the DC and we are able to use “id” and “getent passwd” without any issues. But authentication fails with the following messages:
Jul 12 08:38:19 hostname sshd[25967]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhost.x.y.local user=first.last Jul 12 08:38:19 hostname sshd[25967]: pam_sss(sshd:auth): received for user first.last: 4 (System error) Jul 12 08:38:21 hostname sshd[25963]: error: PAM: Permission denied for first.last from rhost.x.y.local
Under krb5_child.log, we see the following even though the user is a member of one of the groups added under “ad_access_filter”
(Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last@COMPANY.COM@X.Y.LOCAL] might not be correct. (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_child_krb5_trace_cb] (0x4000): [25625] 1499864410.696457: Destroying ccache MEMORY:rd_req2 (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_233006683_XXXXXX] (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal first.last@X.Y.LOCAL in cache collection] (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [create_ccache] (0x0020): 733: [13][Permission denied] (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [map_krb5_error] (0x0020): 1301: [1432158209][Unknown code UUz 1] (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [k5c_send_data] (0x0200): Received error code 1432158209
[root@hostname sssd]# net ads testjoin Join is OK [root@hostname sssd]# net ads info LDAP server: X.X.90.128 LDAP server name: AD-Server.x.y.local Realm: X.Y.LOCAL Bind Path: dc=X,dc=Y,dc=LOCAL LDAP port: 389 Server time: Wed, 12 Jul 2017 09:03:08 CDT KDC server: X.X.90.128 Server time offset: 0 Last machine account password change: Wed, 12 Jul 2017 07:41:59 CDT
SSSD Configuration:
[sssd] domains = X.Y.LOCAL services = nss, pam, sudo config_file_version = 2 debug_level = 0 [nss] [pam] [sudo] debug_level=2 [domain/x.y.local] debug_level=2 ad_server = AD-Server.x.y.local auth_provider = ad access_provider = ad ldap_id_mapping = true ldap_use_tokengroups = true krb5_realm = X.Y.LOCAL ldap_access_order = filter, expire ldap_account_expire_policy = ad
ad_access_filter = …….
cache_credentials = true override_homedir = /home/%d/%u default_shell = /bin/bash ldap_schema = ad
Attached are sssd_x.y.local, krb5_child.log & ldap_child.log (level 10)
Also tried with ad_gpo_access_control = permissive & access_provider = permit but that didn’t allow auth either.
Any suggestions are highly appreciated.
Thanks in advance,
~ Abhi
<krb5_child.log> <ldap_child.log> <sssd_x.y.local.log>
sssd-users@lists.fedorahosted.org