RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1182183 - pam_sss(sshd:auth): authentication failure with user from AD
Summary: pam_sss(sshd:auth): authentication failure with user from AD
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-14 14:52 UTC by David Spurek
Modified: 2020-05-02 17:55 UTC (History)
14 users (show)

Fixed In Version: sssd-1.12.2-43.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 10:35:15 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3599 0 None closed pam_sss(sshd:auth): authentication failure with user from AD 2020-10-12 11:11:55 UTC
Red Hat Product Errata RHBA-2015:0441 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2015-03-05 15:05:27 UTC

Description David Spurek 2015-01-14 14:52:03 UTC 
Description of problem:
pam_sss(sshd:auth): authentication failure with user from AD.

sssd configuration was generated by realmd

getent passwd works fine:
getent passwd Amy.qe'
amy.qe:*:381001103:381000513:Amy:/home/ad.baseos.qe/amy:/bin/bash


ssh Amy.qe@localhost
Amy.qe@localhost's password: 
Permission denied, please try again.

part of log from /var/log/secure
Jan 14 09:39:06 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=Amy.qe
Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=Amy.qe
Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_sss(sshd:auth): received for user Amy.qe: 4 (System error)
Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_ldap(sshd:auth): error opening connection to nslcd: No such file or directory
Jan 14 09:39:14 ibm-p8-kvm-lt-guest-10 sshd[621]: Failed password for Amy.qe from ::1 port 33535 ssh2
Jan 14 09:39:14 ibm-p8-kvm-lt-guest-10 sshd[621]: Connection closed by ::1 [preauth]

cat /etc/sssd/sssd.conf
[sssd]
domains = ad.baseos.qe
config_file_version = 2
services = nss, pam

[domain/ad.baseos.qe]
ad_domain = ad.baseos.qe
krb5_realm = AD.BASEOS.QE
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = IBM-P8-KVM-LT-G$
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad

Version-Release number of selected component (if applicable):
sssd-1.12.2-32

How reproducible:
always

Steps to Reproduce:
1.realm join -v --user=Amy-admin --user-principal=host/Test27402.QE ad.baseos.qe
2.ssh Amy.qe@localhost
3.

Actual results:
pam_sss(sshd:auth): authentication failure

Expected results:
pam_sss(sshd:auth): authentication success

Additional info:
This is a regression, the same test case worked with sssd-1.12.2-28

part of log from /var/log/secure
Jan 14 09:08:11 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=Amy.qe
Jan 14 09:08:13 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=Amy.qe
Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sssd[be[ad.baseos.qe]]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_ldap(sshd:account): error opening connection to nslcd: No such file or directory
Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: Failed password for Amy.qe from ::1 port 33400 ssh2
Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: fatal: Access denied for user Amy.qe by PAM account configuration [preauth]
Comment 4 Jakub Hrozek 2015-01-14 15:28:00 UTC 
Can you prepare a test machine that reproduces the bug or attach log files with a high debug_level?
Comment 7 Jakub Hrozek 2015-01-14 17:25:49 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2557
Comment 13 Jakub Hrozek 2015-01-19 10:29:53 UTC 
Fixed upstream:
    master: 576ad637181b80d39a4e136c9afbf34c57f76156
    sssd-1-12: 24df1487413d13248dcc70d2548a763930da4c65
Comment 15 Nirupama Karandikar 2015-01-27 12:32:00 UTC 
Tested with sssd-1.12.2-47.el7.x86_64

1. Install sssd-1.12.2-39.el7.x86_64 on test VM.

2. Configure sssd to authenticate to AD. From /etc/sssd/sssd.conf

[domain/sssdad2012.com]
ad_domain = sssdad2012.com
krb5_realm = SSSDAD2012.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad

3. With ktutil add invalid principle in the keytab file.

# klist -ekt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com (des-cbc-crc) 
   2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com (des-cbc-md5) 
   2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com (aes128-cts-hmac-sha1-96) 
   2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com (aes256-cts-hmac-sha1-96) 
   2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com (arcfour-hmac) 
   2 01/27/2015 17:21:36 host/dhcp207-182 (des-cbc-crc) 
   2 01/27/2015 17:21:36 host/dhcp207-182 (des-cbc-md5) 
   2 01/27/2015 17:21:36 host/dhcp207-182 (aes128-cts-hmac-sha1-96) 
   2 01/27/2015 17:21:36 host/dhcp207-182 (aes256-cts-hmac-sha1-96) 
   2 01/27/2015 17:21:36 host/dhcp207-182 (arcfour-hmac) 
   2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (des-cbc-crc) 
   2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (des-cbc-md5) 
   2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (aes128-cts-hmac-sha1-96) 
   2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (aes256-cts-hmac-sha1-96) 
   2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (arcfour-hmac) 
   3 01/27/2015 17:51:44 host/Test13775 (aes256-cts-hmac-sha1-96) 


The "host/Test13775" is principle not known to AD.

4. User auth fails. 

[root@dhcp207-182 ~]# ssh -l kau1  localhost
kau1@localhost's password: 
Permission denied, please try again.
kau1@localhost's password: 
Permission denied, please try again.
kau1@localhost's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

From /var/log/secure

Jan 27 17:53:20 dhcp207-182 sshd[24774]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=kau1
Jan 27 17:53:20 dhcp207-182 sshd[24774]: pam_sss(sshd:auth): received for user kau1: 4 (System error)
Jan 27 17:53:22 dhcp207-182 sshd[24774]: Failed password for kau1 from ::1 port 51693 ssh2
Jan 27 17:53:22 dhcp207-182 sshd[24774]: Connection closed by ::1 [preauth]

5. Update to sssd-1.12.2-47.el7.x86_64.rpm.

Try auth with AD user. Login 

[root@dhcp207-182 ~]# ssh -l kau1  localhost
kau1@localhost's password: 
Last failed login: Tue Jan 27 17:58:56 IST 2015 from localhost on ssh:notty
Last login: Tue Jan 27 17:53:56 2015 from localhost
Could not chdir to home directory /home/kau1: No such file or directory
-sh-4.2$ 

From /var/log/secure

Jan 27 18:02:02 dhcp207-182 sshd[25048]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=kau1
Jan 27 18:02:02 dhcp207-182 sssd[be[sssdad2012.com]]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
Jan 27 18:02:02 dhcp207-182 sshd[25048]: Accepted password for kau1 from ::1 port 51748 ssh2
Jan 27 18:02:02 dhcp207-182 sshd[25048]: pam_unix(sshd:session): session opened for user kau1 by (uid=0)
Comment 18 errata-xmlrpc 2015-03-05 10:35:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html
Note You need to log in before you can comment on or make changes to this bug.