Red Hat Bugzilla – Bug 1182183
pam_sss(sshd:auth): authentication failure with user from AD
Last modified: 2017-10-26 05:28:45 EDT
Description of problem: pam_sss(sshd:auth): authentication failure with user from AD. sssd configuration was generated by realmd getent passwd works fine: getent passwd Amy@ad.baseos.qe' amy@ad.baseos.qe:*:381001103:381000513:Amy:/home/ad.baseos.qe/amy:/bin/bash ssh Amy@ad.baseos.qe@localhost Amy@ad.baseos.qe@localhost's password: Permission denied, please try again. part of log from /var/log/secure Jan 14 09:39:06 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=Amy@ad.baseos.qe Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=Amy@ad.baseos.qe Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_sss(sshd:auth): received for user Amy@ad.baseos.qe: 4 (System error) Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_ldap(sshd:auth): error opening connection to nslcd: No such file or directory Jan 14 09:39:14 ibm-p8-kvm-lt-guest-10 sshd[621]: Failed password for Amy@ad.baseos.qe from ::1 port 33535 ssh2 Jan 14 09:39:14 ibm-p8-kvm-lt-guest-10 sshd[621]: Connection closed by ::1 [preauth] cat /etc/sssd/sssd.conf [sssd] domains = ad.baseos.qe config_file_version = 2 services = nss, pam [domain/ad.baseos.qe] ad_domain = ad.baseos.qe krb5_realm = AD.BASEOS.QE realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_sasl_authid = IBM-P8-KVM-LT-G$ ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad Version-Release number of selected component (if applicable): sssd-1.12.2-32 How reproducible: always Steps to Reproduce: 1.realm join -v --user=Amy-admin --user-principal=host/Test27402@AD.BASEOS.QE ad.baseos.qe 2.ssh Amy@ad.baseos.qe@localhost 3. Actual results: pam_sss(sshd:auth): authentication failure Expected results: pam_sss(sshd:auth): authentication success Additional info: This is a regression, the same test case worked with sssd-1.12.2-28 part of log from /var/log/secure Jan 14 09:08:11 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=Amy@ad.baseos.qe Jan 14 09:08:13 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=Amy@ad.baseos.qe Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sssd[be[ad.baseos.qe]]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode. Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_ldap(sshd:account): error opening connection to nslcd: No such file or directory Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: Failed password for Amy@ad.baseos.qe from ::1 port 33400 ssh2 Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: fatal: Access denied for user Amy@ad.baseos.qe by PAM account configuration [preauth]
Can you prepare a test machine that reproduces the bug or attach log files with a high debug_level?
Upstream ticket: https://fedorahosted.org/sssd/ticket/2557
Fixed upstream: master: 576ad637181b80d39a4e136c9afbf34c57f76156 sssd-1-12: 24df1487413d13248dcc70d2548a763930da4c65
Tested with sssd-1.12.2-47.el7.x86_64 1. Install sssd-1.12.2-39.el7.x86_64 on test VM. 2. Configure sssd to authenticate to AD. From /etc/sssd/sssd.conf [domain/sssdad2012.com] ad_domain = sssdad2012.com krb5_realm = SSSDAD2012.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad 3. With ktutil add invalid principle in the keytab file. # klist -ekt Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com@SSSDAD2012.COM (des-cbc-crc) 2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com@SSSDAD2012.COM (des-cbc-md5) 2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com@SSSDAD2012.COM (aes128-cts-hmac-sha1-96) 2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com@SSSDAD2012.COM (aes256-cts-hmac-sha1-96) 2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com@SSSDAD2012.COM (arcfour-hmac) 2 01/27/2015 17:21:36 host/dhcp207-182@SSSDAD2012.COM (des-cbc-crc) 2 01/27/2015 17:21:36 host/dhcp207-182@SSSDAD2012.COM (des-cbc-md5) 2 01/27/2015 17:21:36 host/dhcp207-182@SSSDAD2012.COM (aes128-cts-hmac-sha1-96) 2 01/27/2015 17:21:36 host/dhcp207-182@SSSDAD2012.COM (aes256-cts-hmac-sha1-96) 2 01/27/2015 17:21:36 host/dhcp207-182@SSSDAD2012.COM (arcfour-hmac) 2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (des-cbc-crc) 2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (des-cbc-md5) 2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (aes128-cts-hmac-sha1-96) 2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (aes256-cts-hmac-sha1-96) 2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (arcfour-hmac) 3 01/27/2015 17:51:44 host/Test13775@SSSDAD2012.COM (aes256-cts-hmac-sha1-96) The "host/Test13775@SSSDAD2012.COM" is principle not known to AD. 4. User auth fails. [root@dhcp207-182 ~]# ssh -l kau1@sssdad2012.com localhost kau1@sssdad2012.com@localhost's password: Permission denied, please try again. kau1@sssdad2012.com@localhost's password: Permission denied, please try again. kau1@sssdad2012.com@localhost's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). From /var/log/secure Jan 27 17:53:20 dhcp207-182 sshd[24774]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=kau1@sssdad2012.com Jan 27 17:53:20 dhcp207-182 sshd[24774]: pam_sss(sshd:auth): received for user kau1@sssdad2012.com: 4 (System error) Jan 27 17:53:22 dhcp207-182 sshd[24774]: Failed password for kau1@sssdad2012.com from ::1 port 51693 ssh2 Jan 27 17:53:22 dhcp207-182 sshd[24774]: Connection closed by ::1 [preauth] 5. Update to sssd-1.12.2-47.el7.x86_64.rpm. Try auth with AD user. Login [root@dhcp207-182 ~]# ssh -l kau1@sssdad2012.com localhost kau1@sssdad2012.com@localhost's password: Last failed login: Tue Jan 27 17:58:56 IST 2015 from localhost on ssh:notty Last login: Tue Jan 27 17:53:56 2015 from localhost Could not chdir to home directory /home/kau1: No such file or directory -sh-4.2$ From /var/log/secure Jan 27 18:02:02 dhcp207-182 sshd[25048]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=kau1@sssdad2012.com Jan 27 18:02:02 dhcp207-182 sssd[be[sssdad2012.com]]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode. Jan 27 18:02:02 dhcp207-182 sshd[25048]: Accepted password for kau1@sssdad2012.com from ::1 port 51748 ssh2 Jan 27 18:02:02 dhcp207-182 sshd[25048]: pam_unix(sshd:session): session opened for user kau1@sssdad2012.com by (uid=0)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0441.html