Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1182183
Description of problem: pam_sss(sshd:auth): authentication failure with user from AD. sssd configuration was generated by realmd getent passwd works fine: getent passwd Amy@ad.baseos.qe' amy@ad.baseos.qe:*:381001103:381000513:Amy:/home/ad.baseos.qe/amy:/bin/bash ssh Amy@ad.baseos.qe@localhost Amy@ad.baseos.qe@localhost's password: Permission denied, please try again. part of log from /var/log/secure Jan 14 09:39:06 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=Amy@ad.baseos.qe Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=Amy@ad.baseos.qe Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_sss(sshd:auth): received for user Amy@ad.baseos.qe: 4 (System error) Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_ldap(sshd:auth): error opening connection to nslcd: No such file or directory Jan 14 09:39:14 ibm-p8-kvm-lt-guest-10 sshd[621]: Failed password for Amy@ad.baseos.qe from ::1 port 33535 ssh2 Jan 14 09:39:14 ibm-p8-kvm-lt-guest-10 sshd[621]: Connection closed by ::1 [preauth] cat /etc/sssd/sssd.conf [sssd] domains = ad.baseos.qe config_file_version = 2 services = nss, pam [domain/ad.baseos.qe] ad_domain = ad.baseos.qe krb5_realm = AD.BASEOS.QE realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_sasl_authid = IBM-P8-KVM-LT-G$ ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad Version-Release number of selected component (if applicable): sssd-1.12.2-32 How reproducible: always Steps to Reproduce: 1.realm join -v --user=Amy-admin --user-principal=host/Test27402@AD.BASEOS.QE ad.baseos.qe 2.ssh Amy@ad.baseos.qe@localhost 3. Actual results: pam_sss(sshd:auth): authentication failure Expected results: pam_sss(sshd:auth): authentication success Additional info: This is a regression, the same test case worked with sssd-1.12.2-28 part of log from /var/log/secure Jan 14 09:08:11 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=Amy@ad.baseos.qe Jan 14 09:08:13 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=Amy@ad.baseos.qe Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sssd[be[ad.baseos.qe]]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode. Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_ldap(sshd:account): error opening connection to nslcd: No such file or directory Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: Failed password for Amy@ad.baseos.qe from ::1 port 33400 ssh2 Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: fatal: Access denied for user Amy@ad.baseos.qe by PAM account configuration [preauth]
Sumit knows what's up.
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 owner: somebody => sbose review: True => 0 selected: => testsupdated: => 0
Fields changed
patch: 0 => 1 status: new => assigned
resolution: => fixed status: assigned => closed
Metadata Update from @jhrozek: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.12.4
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3599
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.