SSH Logins failing for all users, even when using correct password

linux rhel login active-directory sssd
133

Solution 1

Off the top of my head, these are the 3 things that have caused me pain in joining CentOS to AD and using sssd with ssh:

  1. Do you have pam_sss.so listed in the password portion of /etc/pam.d/password-auth, or otherwise called in /etc/pam.d/sshd? Sshd will use PAM to validate the password, and if PAM isn't configured to talk to sssd, that will break the ability to use ssh with AD auth.

  2. Do you have an /etc/security/access.conf that maybe has a line like -:ALL:ALL in it? You may need to explicitly allow users, with +:USERNAME:ALL, or you can allow anyone who passes authentication with +:ALL:ALL

    The access.conf man page has some good information on the formats of entries and the meanings of the fields in the file.

  3. In your domain stanza in /etc/sssd/sssd.conf, do you have a line for auth, like auth_provider = ad?

Edit 2017-11-02 13:48

/etc/nsswitch.conf is another file that can be problematic. You need to confirm that sss is configured as lookup target for passwd, shadow, group, netgroup, automount, and services:

passwd:     files sss
shadow:     files sss
group:      files sss
<snip>    
services:   files sss
netgroup:   files sss
<snip>
aoutomount: files sss

Although the "Success .... Access Denied" makes me think it has something to do with access.conf. Like authentication is passing, but then being blocked else where. Or... OP said this is Red Hat. It could be missing HBAC rules. They're not mentioned anywhere in the SSSD documentation that I recall.

I don't have a RH server to check with, and the CentOS servers I have that are domain joined don't have the ipa command.

Solution 2

A very similar scenario with a different root-cause:

Login with sssd (against LDAP) via console works. Login using the correct password with sssd via ssh fails. Gives about an 8 seconds delay until being denied.

My solution was to remove AllowGroups ssh-login from /etc/ssh/sshd_config. That option restricts which group of users can log into the server. As I have not been a member of that group, I was not allowed to connect. No idea how it got there. I get my servers pre-configured from the VM-peeps. Maybe it is a default of Debian 10. Maybe the IT-department put it there.

Share:
133

Related videos on Youtube

CTN
Author by

CTN

Updated on September 18, 2022

Comments

  • CTN
    CTN over 1 year

    enter image description here

    As per the image there is 20 toggle buttons.I want to change focus traversal on key press alphabetically.If i am press V from keyboard then it will select first occurrence(VVS1) if second time it will select second occurrence(VVS2).

  • Thomas N
    Thomas N over 6 years
    FWIW, I've also been tripped up by time issues. KRB is pretty picky about the timing for issuing krb tickets... I think 15 seconds of difference between client and server is enough to fail.
  • Stephen Kitt
    Stephen Kitt over 6 years
    From the OP’s deleted answer... Local users, including root, can’t login using SSH either. sssd.conf matches another server’s working sssd.conf. Every line in access.conf is commented out. password-auth does have pam_sss.so in the password section, which also matches another working server’s setup.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Can't log in to Ubuntu as domain user "no passwd entry for user" (SSSD, KRB5, Samba)`
Linux SSSD with two AD Domains
vsFTPd authenticating with SSSD
Kerberos "Server not found in kerberos database" using SSH and -K Flag to Linux Machine joined to AD
Linux / AD integration with SSSD: how to choose what systems a user can log into?
Troubles with sssd and Active Directory Integration
How to use realmd in Ubuntu 14.04 LTS to join an Active Directory domain?
Join Redhat 7 without prompting the password
Joining Linux host to Active Directory fails to update Microsoft DNS
SSSD on Centos, Active Directory search returns zero results