#2557 pam_sss(sshd:auth): authentication failure with user from AD
Closed: Fixed None Opened 5 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1182183

Description of problem:
pam_sss(sshd:auth): authentication failure with user from AD.

sssd configuration was generated by realmd

getent passwd works fine:
getent passwd Amy@ad.baseos.qe'
amy@ad.baseos.qe:*:381001103:381000513:Amy:/home/ad.baseos.qe/amy:/bin/bash


ssh Amy@ad.baseos.qe@localhost
Amy@ad.baseos.qe@localhost's password:
Permission denied, please try again.

part of log from /var/log/secure
Jan 14 09:39:06 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
user=Amy@ad.baseos.qe
Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
user=Amy@ad.baseos.qe
Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_sss(sshd:auth): received
for user Amy@ad.baseos.qe: 4 (System error)
Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_ldap(sshd:auth): error
opening connection to nslcd: No such file or directory
Jan 14 09:39:14 ibm-p8-kvm-lt-guest-10 sshd[621]: Failed password for
Amy@ad.baseos.qe from ::1 port 33535 ssh2
Jan 14 09:39:14 ibm-p8-kvm-lt-guest-10 sshd[621]: Connection closed by ::1
[preauth]

cat /etc/sssd/sssd.conf
[sssd]
domains = ad.baseos.qe
config_file_version = 2
services = nss, pam

[domain/ad.baseos.qe]
ad_domain = ad.baseos.qe
krb5_realm = AD.BASEOS.QE
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = IBM-P8-KVM-LT-G$
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad

Version-Release number of selected component (if applicable):
sssd-1.12.2-32

How reproducible:
always

Steps to Reproduce:
1.realm join -v --user=Amy-admin --user-principal=host/Test27402@AD.BASEOS.QE
ad.baseos.qe
2.ssh Amy@ad.baseos.qe@localhost
3.

Actual results:
pam_sss(sshd:auth): authentication failure

Expected results:
pam_sss(sshd:auth): authentication success

Additional info:
This is a regression, the same test case worked with sssd-1.12.2-28

part of log from /var/log/secure
Jan 14 09:08:11 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
user=Amy@ad.baseos.qe
Jan 14 09:08:13 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
user=Amy@ad.baseos.qe
Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sssd[be[ad.baseos.qe]]: Warning: user
would have been denied GPO-based logon access if the ad_gpo_access_control
option were set to enforcing mode.
Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_ldap(sshd:account):
error opening connection to nslcd: No such file or directory
Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: Failed password for
Amy@ad.baseos.qe from ::1 port 33400 ssh2
Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: fatal: Access denied for
user Amy@ad.baseos.qe by PAM account configuration [preauth]

Sumit knows what's up.

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => sbose
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

patch: 0 => 1
status: new => assigned

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.12.4

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3599

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata