Re: [CentOS] "System error" when trying to logon via SSH to CentOS 8 joined to AD
On 05.04.2021 08:19, Orion Poplawski wrote: > On 3/23/21 12:09 AM, Konstantin Boyandin via CentOS wrote: >> Hello, >> >> I joined a CentOS 8 box to an AD, using the below document as general >> guide: >> >> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory >> (section 14.1) >> >> A problem: after I tried to log on via SSH (as an AD user) to the box, >> the journalctl gets the below records: >> >> March 23 12:41:01 sandbox.lan sshd[2262]: pam_sss(sshd:auth): >> authentication success; logname= uid=0 euid=0 tty=ssh ruser= >> rhost=10.10.0.55 user=username >> March 23 12:41:01 sandbox.lan sshd[2262]: pam_sss(sshd:account): Access > >> denied for user username: 4 (System error) >> March 23 12:41:01 sandbox.lan sshd[2262]: Failed password for username >> from 10.10.0.55 port 57610 ssh2 >> March 23 12:41:01 sandbox.lan sshd[2262]: fatal: Access denied for user > >> username by PAM account configuration [preauth] > > "System error" generally means an error internally to sssd. I would > turn up sssd debugging and check the sssd logs in /var/log/sssd. Also, > you'll probably get better support on the sssd list. Thanks for this and previous responses. I am trying to determine whether to look for further; as soon as I figure out where to look at, I could ask for more details (here, in sssd and/or Samba lists). -- Sincerely, Konstantin Boyandin system administrator (ProWide Labs Ltd. - IPHost Network Monitor) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] "System error" when trying to logon via SSH to CentOS 8 joined to AD
On 3/23/21 12:09 AM, Konstantin Boyandin via CentOS wrote: Hello, I joined a CentOS 8 box to an AD, using the below document as general guide: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory (section 14.1) A problem: after I tried to log on via SSH (as an AD user) to the box, the journalctl gets the below records: March 23 12:41:01 sandbox.lan sshd[2262]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.0.55 user=username March 23 12:41:01 sandbox.lan sshd[2262]: pam_sss(sshd:account): Access denied for user username: 4 (System error) March 23 12:41:01 sandbox.lan sshd[2262]: Failed password for username from 10.10.0.55 port 57610 ssh2 March 23 12:41:01 sandbox.lan sshd[2262]: fatal: Access denied for user username by PAM account configuration [preauth] "System error" generally means an error internally to sssd. I would turn up sssd debugging and check the sssd logs in /var/log/sssd. Also, you'll probably get better support on the sssd list. -- Orion Poplawski he/him/his - surely the least important thing about me Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] "System error" when trying to logon via SSH to CentOS 8 joined to AD
On Apr 4, 2021, at 14:08, Gordon Messmer wrote:
>> $ cat /etc/krb5.conf
>> [libdefaults]
>> default_ccache_name = KEYRING:persistent:%{uid}
>
> Specifically, I thought that sssd defaults to KCM storage for kerberos
> credentials, not the kernel keyring. You might be seeing an SELinux
> deny due to non-default ccache storage.
Only if sssd-kcm is installed. Otherwise the keyring is default. I normally use
the keyring on my systems. No selinux issues there.
--
Jonathan Billings
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] "System error" when trying to logon via SSH to CentOS 8 joined to AD
On Mon, Mar 22, 2021 at 11:10 PM Konstantin Boyandin via CentOS
wrote:
> I joined a CentOS 8 box to an AD, using the below document as general
> guide:
How general? Can you describe what you've done that differed from the guide?
> When I comment a line in /etc/pam.d/password-auth (the one commented
> below), error goes away:
> #account [default=bad success=ok user_unknown=ignore] pam_sss.so
Have you checked /var/log/audit/audit.log for AVCs during login? I
suspect an SELinux error.
> $ cat /etc/krb5.conf
> [libdefaults]
> default_ccache_name = KEYRING:persistent:%{uid}
Specifically, I thought that sssd defaults to KCM storage for kerberos
credentials, not the kernel keyring. You might be seeing an SELinux
deny due to non-default ccache storage.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] "System error" when trying to logon via SSH to CentOS 8 joined to AD
Hi Konstantin, Debugging login issues between SSD, PAM, and AD is not for the faint of heart. In my case I set up Samba 4.3 as a primary AD DC. I could login with Windows 10 guests but not C8. I just did the following. 1. I spun up a fresh C8 VM, did not add any users, selected a graphical desktop. 2. I added a new user into my AD domain (the one being served by Samba4) 3. When my VM booted, the "first boot" screen appeared. As I went through the steps, when it prompted me to add a user, I clicked on "Configure Enterprise Login" 4. The system automatically found my domain name. I entered the username/password I created. 5. The system prompted for the Domain Admin password, which I entered it. 6. After a few seconds. everything was set up, and I could ssh in to the box in question using the following (keeping in mind that capitalization is important, especially when it comes to AD domain names!): ssh -l j...@my-domain.as authtest-el8 I was able to login using this procedure. You might try the same thing, and then compare your pam, sssd, and krb5 config files with the fresh VM and the VM you are trying to get working. -JK On Tue, Mar 30, 2021 at 7:01 AM Konstantin Boyandin via CentOS < centos@centos.org> wrote: > Do I understand correctly that this problem > - is too trivial > - isn't in fact CentOS-related > - never happened to anyone else ? > > There are no good explanations as far as I see, to such PAM behavior. I > would appreciate advice on where else to ask about this (the mentioned > quick fix doesn't look too good). > > Thanks. > > Sincerely, > Konstantin > > On 23.03.2021 13:09, Konstantin Boyandin via CentOS wrote: > > Hello, > > > > I joined a CentOS 8 box to an AD, using the below document as general > > guide: > > > > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory > > > (section 14.1) > > > > A problem: after I tried to log on via SSH (as an AD user) to the box, > > the journalctl gets the below records: > > > > March 23 12:41:01 sandbox.lan sshd[2262]: pam_sss(sshd:auth): > > authentication success; logname= uid=0 euid=0 tty=ssh ruser= > > rhost=10.10.0.55 user=username > > March 23 12:41:01 sandbox.lan sshd[2262]: pam_sss(sshd:account): Access > > denied for user username: 4 (System error) > > March 23 12:41:01 sandbox.lan sshd[2262]: Failed password for username > > from 10.10.0.55 port 57610 ssh2 > > March 23 12:41:01 sandbox.lan sshd[2262]: fatal: Access denied for user > > username by PAM account configuration [preauth] > > > > Quick and dirty fix: > > > > When I comment a line in /etc/pam.d/password-auth (the one commented > > below), error goes away: > > === /etc/pam.d/password-auth below > > auth > required pam_env.so > > authrequired pam_faildelay.so delay=200 > > auth[default=1 ignore=ignore success=ok] > pam_usertype.so > > isregular > > auth[default=1 ignore=ignore success=ok] pam_localuser.so > > auth > sufficient pam_unix.so > > nullok try_first_pass > > auth[default=1 ignore=ignore success=ok] > pam_usertype.so > > isregular > > auth > sufficient pam_sss.so > > forward_pass > > auth > required pam_deny.so > > > > account > required pam_unix.so > > account sufficient pam_localuser.so > > account > sufficient pam_usertype.so > > issystem > > #account [default=bad success=ok user_unknown=ignore] pam_sss.so > > account > required pam_permit.so > > > > passwordrequisite pam_pwquality.so try_first_pass local_users_only > > password > sufficient pam_unix.so > > sha512 shadow nullok try_first_pass use_authtok > > password > sufficient pam_sss.so > > use_authtok > > password > required pam_deny.so > > > > session > optional pam_keyinit.so > > revoke > > session > required pam_limits.so > > -session > optional pam_systemd.so > > session optional pam_oddjob_mkhomedir.so umask=0077 > > session [success=1 default=ignore] pam_succeed_if.so service in > > crond quiet use_uid > > session > required pam_unix.so > > session > optional pam_sss.so > > === /etc/pam.d/password-auth above > > > > If I understand correctly, the commented line means "account is invalid > > by default; if found in SSSD, it's good; if not found - ignore and > > proceed". Commenting it is not a good idea, but I
Re: [CentOS] "System error" when trying to logon via SSH to CentOS 8 joined to AD
Do I understand correctly that this problem - is too trivial - isn't in fact CentOS-related - never happened to anyone else ? There are no good explanations as far as I see, to such PAM behavior. I would appreciate advice on where else to ask about this (the mentioned quick fix doesn't look too good). Thanks. Sincerely, Konstantin On 23.03.2021 13:09, Konstantin Boyandin via CentOS wrote: > Hello, > > I joined a CentOS 8 box to an AD, using the below document as general > guide: > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory > (section 14.1) > > A problem: after I tried to log on via SSH (as an AD user) to the box, > the journalctl gets the below records: > > March 23 12:41:01 sandbox.lan sshd[2262]: pam_sss(sshd:auth): > authentication success; logname= uid=0 euid=0 tty=ssh ruser= > rhost=10.10.0.55 user=username > March 23 12:41:01 sandbox.lan sshd[2262]: pam_sss(sshd:account): Access > denied for user username: 4 (System error) > March 23 12:41:01 sandbox.lan sshd[2262]: Failed password for username > from 10.10.0.55 port 57610 ssh2 > March 23 12:41:01 sandbox.lan sshd[2262]: fatal: Access denied for user > username by PAM account configuration [preauth] > > Quick and dirty fix: > > When I comment a line in /etc/pam.d/password-auth (the one commented > below), error goes away: > === /etc/pam.d/password-auth below > auth required pam_env.so > auth required pam_faildelay.so delay=200 > auth [default=1 ignore=ignore success=ok] pam_usertype.so > isregular > auth [default=1 ignore=ignore success=ok] pam_localuser.so > auth sufficient pam_unix.so > nullok try_first_pass > auth [default=1 ignore=ignore success=ok] pam_usertype.so > isregular > auth sufficient pam_sss.so > forward_pass > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_usertype.so > issystem > #account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_pwquality.so try_first_pass local_users_only > password sufficient pam_unix.so > sha512 shadow nullok try_first_pass use_authtok > password sufficient pam_sss.so > use_authtok > password required pam_deny.so > > session optional pam_keyinit.so > revoke > session required pam_limits.so > -session optional pam_systemd.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_sss.so > === /etc/pam.d/password-auth above > > If I understand correctly, the commented line means "account is invalid > by default; if found in SSSD, it's good; if not found - ignore and > proceed". Commenting it is not a good idea, but I can't figure out > what's wrong (according to first line from jornalctl authentication *is* > passed normally). > > Additional data (AD domain in this example is EXAMPLE.COM): > > $ realm list > realm list > example.com > type: kerberos > realm-name: EXAMPLE.COM > domain-name: example.com > configured: kerberos-member > server-software: active-directory > client-software: sssd > required-package: oddjob > required-package: oddjob-mkhomedir > required-package: sssd > required-package: adcli > required-package: samba-common-tools > login-formats: %U > login-policy: allow-realm-logins > > $ cat /etc/sssd/sssd.conf > [sssd] > domains = example.com > config_file_version = 2 > services = nss, pam, ssh > debug_level = 9 > > [domain/example.com] > ad_domain = example.com > krb5_realm = EXAMPLE.COM > realmd_tags = manages-system joined-with-adcli > cache_credentials = True > id_provider = ad > krb5_store_password_if_offline = True > default_shell = /bin/bash > ldap_sasl_authid = SANDBOX$ > ldap_id_mapping = True > use_fully_qualified_names = False > ad_gpo_ignore_unreadable = True > fallback_homedir = /home/%u > access_provider = ad > debug_level = 9 > === end of /etc/sssd/sssd.conf > > $ cat /etc/krb5.conf > includedir /etc/krb5.conf.d/ > > [logging] > default = FILE:/var
[CentOS] "System error" when trying to logon via SSH to CentOS 8 joined to AD
Hello,
I joined a CentOS 8 box to an AD, using the below document as general
guide:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory
(section 14.1)
A problem: after I tried to log on via SSH (as an AD user) to the box,
the journalctl gets the below records:
March 23 12:41:01 sandbox.lan sshd[2262]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.10.0.55 user=username
March 23 12:41:01 sandbox.lan sshd[2262]: pam_sss(sshd:account): Access
denied for user username: 4 (System error)
March 23 12:41:01 sandbox.lan sshd[2262]: Failed password for username
from 10.10.0.55 port 57610 ssh2
March 23 12:41:01 sandbox.lan sshd[2262]: fatal: Access denied for user
username by PAM account configuration [preauth]
Quick and dirty fix:
When I comment a line in /etc/pam.d/password-auth (the one commented
below), error goes away:
=== /etc/pam.d/password-auth below
authrequired pam_env.so
authrequired
pam_faildelay.so delay=200
auth[default=1 ignore=ignore success=ok] pam_usertype.so
isregular
auth[default=1 ignore=ignore success=ok]
pam_localuser.so
authsufficient pam_unix.so
nullok try_first_pass
auth[default=1 ignore=ignore success=ok] pam_usertype.so
isregular
authsufficient pam_sss.so
forward_pass
authrequired pam_deny.so
account required pam_unix.so
account sufficient
pam_localuser.so
account sufficient pam_usertype.so
issystem
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
passwordrequisite
pam_pwquality.so try_first_pass local_users_only
passwordsufficient pam_unix.so
sha512 shadow nullok try_first_pass use_authtok
passwordsufficient pam_sss.so
use_authtok
passwordrequired pam_deny.so
session optional pam_keyinit.so
revoke
session required pam_limits.so
-sessionoptional pam_systemd.so
session optional
pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore]
pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
=== /etc/pam.d/password-auth above
If I understand correctly, the commented line means "account is invalid
by default; if found in SSSD, it's good; if not found - ignore and
proceed". Commenting it is not a good idea, but I can't figure out
what's wrong (according to first line from jornalctl authentication *is*
passed normally).
Additional data (AD domain in this example is EXAMPLE.COM):
$ realm list
realm list
example.com
type: kerberos
realm-name: EXAMPLE.COM
domain-name: example.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins
$ cat /etc/sssd/sssd.conf
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam, ssh
debug_level = 9
[domain/example.com]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = SANDBOX$
ldap_id_mapping = True
use_fully_qualified_names = False
ad_gpo_ignore_unreadable = True
fallback_homedir = /home/%u
access_provider = ad
debug_level = 9
=== end of /etc/sssd/sssd.conf
$ cat /etc/krb5.conf
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
EXAMPLE.C
