Hi,
Apologies for any naively stated questions but I am having trouble getting SSSD, Active Directory and SSH to interact as I expect on an Ubuntu 14.04 server. To be quite honest; I am not even certain that SSSD is the problem anymore since I seem to have successfully authenticated, it's just that my SSH session is interrupted with :
johannes@laplnxjohannes:~$ ssh johannes@bifrost-test Password: Write failed: Broken pipe
Extract from /var/log/auth.log ------------------------------------------ Jul 3 14:49:58 bifrost-test sshd[10281]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=lichen user=johannes Jul 3 14:49:58 bifrost-test sshd[10279]: Accepted keyboard-interactive/pam for johannes from 192.168.120.12 port 35886 ssh2 Jul 3 14:49:58 bifrost-test sshd[10279]: fatal: PAM: pam_setcred(): Failure setting user credentials
My /etc/nsswitch.conf -------------------------------- passwd: files sss group: files sss shadow: files sss
hosts: files dns networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis sudoers: files
/etc/pam.d/common-session: ------------------------------------------ session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_sss.so # end of pam-auth-update config
root@bifrost-test:/var/log/sssd# apt-cache policy sssd sssd: Installed: 1.11.5-1ubuntu3
I have done my share of googling and only ended up with some very old - seemingly, irrelevant to my problem - page hits. So, I've turned to this mailing list in hope of finding someone who may have encountered similar issues. Any ideas or suggestions?
Thanks and Best Regards, Johannes
Check if your ssh client is configured with GSSAPIAuthentikation=yes (in /etc/ssh/ssh_config) This is default in Ubuntu – you don’t write about your client
Best, Longina
From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Johannes Ramm-Ericson Sent: 3. juli 2014 16:57 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] SSSD & SSH on Ubuntu 14.04 - login failure
Hi,
Apologies for any naively stated questions but I am having trouble getting SSSD, Active Directory and SSH to interact as I expect on an Ubuntu 14.04 server. To be quite honest; I am not even certain that SSSD is the problem anymore since I seem to have successfully authenticated, it's just that my SSH session is interrupted with :
johannes@laplnxjohannes:~$ ssh johannes@bifrost-test Password: Write failed: Broken pipe
Extract from /var/log/auth.log ------------------------------------------ Jul 3 14:49:58 bifrost-test sshd[10281]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=lichen user=johannes Jul 3 14:49:58 bifrost-test sshd[10279]: Accepted keyboard-interactive/pam for johannes from 192.168.120.12 port 35886 ssh2 Jul 3 14:49:58 bifrost-test sshd[10279]: fatal: PAM: pam_setcred(): Failure setting user credentials My /etc/nsswitch.conf -------------------------------- passwd: files sss group: files sss shadow: files sss
hosts: files dns networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis sudoers: files
/etc/pam.d/common-session: ------------------------------------------ session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_sss.so # end of pam-auth-update config
root@bifrost-test:/var/log/sssd# apt-cache policy sssd sssd: Installed: 1.11.5-1ubuntu3
I have done my share of googling and only ended up with some very old - seemingly, irrelevant to my problem - page hits. So, I've turned to this mailing list in hope of finding someone who may have encountered similar issues. Any ideas or suggestions? Thanks and Best Regards, Johannes
On 03 Jul 2014, at 16:56, Johannes Ramm-Ericson johannes@ramm-ericson.se wrote:
Hi,
Apologies for any naively stated questions but I am having trouble getting SSSD, Active Directory and SSH to interact as I expect on an Ubuntu 14.04 server. To be quite honest; I am not even certain that SSSD is the problem anymore since I seem to have successfully authenticated, it's just that my SSH session is interrupted with :
johannes@laplnxjohannes:~$ ssh johannes@bifrost-test Password: Write failed: Broken pipe
Extract from /var/log/auth.log
Jul 3 14:49:58 bifrost-test sshd[10281]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=lichen user=johannes
Here it seems SSSD has done its job and returned authentication success to the PAM subsystem.
Jul 3 14:49:58 bifrost-test sshd[10279]: Accepted keyboard-interactive/pam for johannes from 192.168.120.12 port 35886 ssh2 Jul 3 14:49:58 bifrost-test sshd[10279]: fatal: PAM: pam_setcred(): Failure setting user credentials
This seems to be the problem.
Did you try increasing the log level of the SSHD (not SSSD :-)) and checking out the logs? Is there anything in the syslog (which would be stored either in the journal or /var/log/messages on Fedora, I’m not so sure about Ubuntu)
My /etc/nsswitch.conf
passwd: files sss group: files sss shadow: files sss
hosts: files dns networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis sudoers: files
/etc/pam.d/common-session:
session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_sss.so # end of pam-auth-update config
root@bifrost-test:/var/log/sssd# apt-cache policy sssd sssd: Installed: 1.11.5-1ubuntu3
I have done my share of googling and only ended up with some very old - seemingly, irrelevant to my problem - page hits. So, I've turned to this mailing list in hope of finding someone who may have encountered similar issues. Any ideas or suggestions?
Thanks and Best Regards, Johannes
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Johannes Ramm-Ericson -
Longina Przybyszewska