#2557 pam_sss(sshd:auth): authentication failure with user from AD

Created 2 years ago by jhrozek
Modified 9 months ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1182183

Description of problem:
pam_sss(sshd:auth): authentication failure with user from AD.

sssd configuration was generated by realmd

getent passwd works fine:
getent passwd Amy@ad.baseos.qe'
amy@ad.baseos.qe:*:381001103:381000513:Amy:/home/ad.baseos.qe/amy:/bin/bash


ssh Amy@ad.baseos.qe@localhost
Amy@ad.baseos.qe@localhost's password:
Permission denied, please try again.

part of log from /var/log/secure
Jan 14 09:39:06 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
user=Amy@ad.baseos.qe
Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
user=Amy@ad.baseos.qe
Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_sss(sshd:auth): received
for user Amy@ad.baseos.qe: 4 (System error)
Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_ldap(sshd:auth): error
opening connection to nslcd: No such file or directory
Jan 14 09:39:14 ibm-p8-kvm-lt-guest-10 sshd[621]: Failed password for
Amy@ad.baseos.qe from ::1 port 33535 ssh2
Jan 14 09:39:14 ibm-p8-kvm-lt-guest-10 sshd[621]: Connection closed by ::1
[preauth]

cat /etc/sssd/sssd.conf
[sssd]
domains = ad.baseos.qe
config_file_version = 2
services = nss, pam

[domain/ad.baseos.qe]
ad_domain = ad.baseos.qe
krb5_realm = AD.BASEOS.QE
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = IBM-P8-KVM-LT-G$
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad

Version-Release number of selected component (if applicable):
sssd-1.12.2-32

How reproducible:
always

Steps to Reproduce:
1.realm join -v --user=Amy-admin --user-principal=host/Test27402@AD.BASEOS.QE
ad.baseos.qe
2.ssh Amy@ad.baseos.qe@localhost
3.

Actual results:
pam_sss(sshd:auth): authentication failure

Expected results:
pam_sss(sshd:auth): authentication success

Additional info:
This is a regression, the same test case worked with sssd-1.12.2-28

part of log from /var/log/secure
Jan 14 09:08:11 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
user=Amy@ad.baseos.qe
Jan 14 09:08:13 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
user=Amy@ad.baseos.qe
Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sssd[be[ad.baseos.qe]]: Warning: user
would have been denied GPO-based logon access if the ad_gpo_access_control
option were set to enforcing mode.
Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_ldap(sshd:account):
error opening connection to nslcd: No such file or directory
Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: Failed password for
Amy@ad.baseos.qe from ::1 port 33400 ssh2
Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: fatal: Access denied for
user Amy@ad.baseos.qe by PAM account configuration [preauth]

Sumit knows what's up.

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => sbose
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

patch: 0 => 1
status: new => assigned

resolution: => fixed
status: assigned => closed

9 months ago

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.12.4

Login to comment on this ticket.

defect

SSSD

0

1

https://bugzilla.redhat.com/show_bug.cgi?id=1182183

0

0

0

cancel