Linux-SSSD: always getting incorrect password when su'ing to domain users, but why?
I've managed to solve the issue.
There are two things which made it work eventually:
Adding to file
/etc/sssd/sssd.conf
the following directive:ldap_user_name = msSFU30Name
- Setting up a NTP server and making sure that the offset between the sssd clients and the authentication servers doesn't get above 3 seconds.
Related videos on Youtube
Itai Ganot
Architect and Lecturer in the field of DevOps Engineering. LinkedIn: https://www.linkedin.com/in/itaiganot Personal Website: http://geek-kb.com
Updated on September 18, 2022Comments
-
Itai Ganot over 1 year
I've built a new Linux environment at my work place. I've configured
sssd
and bound it to one of the Active Directory domains of the company.I can tell that the
sssd
is partially working, let me show you:I've cleaned the
sssd
cache on the local machine, restartedsssd
and queried for a domain user:[root@pnd01 ~]# sss_cache -E [root@pnd01 ~]# service sssd restart Stopping sssd: [ OK ] Starting sssd: [ OK ] [root@pnd01 ~]# id itai.ganot uid=10238(itai.ganot) gid=10012(XXXX_ops) groups=10012(XXXX_ops) [root@pnd01 ~]#
Here's the
sssd.conf
file:[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = AD [nss] filter_groups = root filter_users = root reconnection_retries = 3 override_shell = /bin/bash [pam] reconnection_retries = 3 [domain/AD] enumerate = true id_provider = ldap auth_provider = krb5 ldap_uri = ldap://10.X.X.12 ,ldap://10.X.X.11 ldap_schema = rfc2307 ldap_default_bind_dn = CN=testuser,CN=Users,DC=eyedcny,DC=local ldap_default_authtok_type = password ldap_default_authtok = Aa123456 ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_name = sAMAccountName ldap_group_object_class = group ldap_force_upper_case_realm = true ldap_tls_reqcert = never ldap_account_expire_policy = ad ldap_search_base = CN=RND Users,DC=eyedcny,DC=local krb5_server = 10.X.X.12 ,10.X.X.11 krb5_realm = EYEDCNY.LOCAL krb5_kpassword = default ldap_referrals = false case_sensitive = false [root@pnd01 ~]#
The problem is that whenever I try to
su
from one normal user account to another, I get an incorrect password, even though the password is the correct one for sure.As you can see here, the user is not taken from
/etc/passwd
but from the sync with AD:[root@pnd01 ~]# grep itai.ganot /etc/passwd [root@pnd01 ~]# su - itai.ganot [itai.ganot@pnd01 ~]$ su - itai.ganot Password: su: incorrect password [itai.ganot@pnd01 ~]$
Edit #1: Here are the relevant lines from
/var/log/secure
with the error i'm getting:Apr 13 14:49:27 pnd02 su: pam_unix(su-l:auth): authentication failure; logname=root uid=10238 euid=0 tty=pts/0 ruser=itai.ganot rhost= user=itai.ganot Apr 13 14:49:27 pnd02 su: pam_sss(su-l:auth): authentication failure; logname=root uid=10238 euid=0 tty=pts/0 ruser=itai.ganot rhost= user=itai.ganot Apr 13 14:49:27 pnd02 su: pam_sss(su-l:auth): received for user itai.ganot: 4 (System error)
Edit #2: Another thing which is worth mentioning:
[root@pnd01 ~]# authconfig --enablesssd --enablesssdauth --enablelocauthorize --update authconfig: Invalid LDAP URI. [root@pnd01 ~]#
I'm not sure why I get this error or where does it look for the LDAP URI, because if it's looking on the one configured in
/etc/sssd/sssd.conf
then the right URI is configured there.Can you please try to find the reason for this behavior?
-
Itai Ganot about 9 yearsFeel free to ask for any logs you need, and I'll edit my answer to include them.
-
jhrozek about 9 yearsI'm not sure why I'm getting downvoted. The troubhleshooting guide exactly lists where to look and what logs to enable. Please don't expect answers without the proper data.
-
Itai Ganot about 9 yearsI didn't downvote you mate.
-
MrGigu about 9 yearsProbably because your answer looks a lot like spam