Package: sssd Version: 1.11.7-3 Severity: important Hi,
I have SSSD configured to use the simple access provider and have restricted which Active Directory groups can login: $ tail /etc/sssd/sssd.conf access_provider = simple simple_allow_groups = linux_domain_users When I try to login using SSH with a user who is a member of that group, the connection closes on the server side and this error appears in sssd's log file: [simple_check_process_group] (0x0020): There is no domain information for SID S-1-5-21-3129309019-3453757689-3676435247-1105 However, getent seems to work fine: $ getent passwd bob bob:*:1311401108:1311400513:Bob:/home/testing.home/bob:/bin/bash $ getent group linux_domain_users linux_domain_users:*:1311401105:bob I am also able to su into the account as the root user. SSSD logs from /var/log/sssd/sssd_testing.home.log: (Sun Sep 25 17:59:46 2016) [sssd[be[testing.home]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=bob] (Sun Sep 25 17:59:46 2016) [sssd[be[testing.home]]] [sysdb_idmap_store_mapping] (0x0100): Adding new ID mapping [S-1-5-21-3129309019-3453757689-3676435247][S-1-5-21-3129309019-3453757689-3676435247][6556] (Sun Sep 25 17:59:46 2016) [sssd[be[testing.home]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [be_get_account_info] (0x0100): Got request for [3][1][name=bob] (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [sysdb_store_group] (0x0080): A group with the same GID [1311400513] was removed from the cache (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [be_pam_handler] (0x0100): Got request with the following data (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): domain: testing.home (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): user: bob (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): service: sshd (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): tty: ssh (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): ruser: (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): rhost: ::1 (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): authtok type: 1 (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): newauthtok type: 0 (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): priv: 1 (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): cli_pid: 5198 (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [be_resolve_server_process] (0x0200): Found address for server addc.testing.home: [10.200.1.10] TTL 3600 (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [fo_set_port_status] (0x0100): Marking port 636 of server 'addc.testing.home' as 'working' (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [set_server_common_status] (0x0100): Marking server 'addc.testing.home' as 'working' (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [simple_bind_send] (0x0100): Executing simple bind as: CN=Bob,CN=Users,DC=testing,DC=home (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [sdap_pam_auth_done] (0x0100): Password successfully cached for bob (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [be_pam_handler_callback] (0x0100): Sending result [0][testing.home] (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [be_pam_handler_callback] (0x0100): Sent result [0][testing.home] (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [be_pam_handler] (0x0100): Got request with the following data (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): domain: testing.home (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): user: bob (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): service: sshd (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): tty: ssh (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): ruser: (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): rhost: ::1 (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): authtok type: 0 (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): newauthtok type: 0 (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): priv: 1 (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data] (0x0100): cli_pid: 5198 (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [simple_access_obtain_filter_lists] (0x0200): Allow users list is empty. (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [simple_access_obtain_filter_lists] (0x0200): Deny users list is empty. (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [simple_access_obtain_filter_lists] (0x0200): Deny groups list is empty. (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [simple_access_check_send] (0x0200): Simple access check for bob (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [simple_check_process_group] (0x0020): There is no domain information for SID S-1-5-21-3129309019-3453757689-3676435247-1105 (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success] (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [be_pam_handler_callback] (0x0100): Sending result [6][testing.home] (Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [be_pam_handler_callback] (0x0100): Sent result [6][testing.home] SSHD logs from /var/log/auth.log: Sep 25 17:59:49 debian-8 sshd[15919]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=bob Sep 25 17:59:49 debian-8 sshd[15919]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=bob Sep 25 17:59:49 debian-8 sshd[15919]: pam_sss(sshd:account): Access denied for user bob: 6 (Permission denied) Sep 25 17:59:49 debian-8 sshd[15919]: Failed password for bob from 127.0.0.1 port 36081 ssh2 Sep 25 17:59:49 debian-8 sshd[15919]: fatal: Access denied for user bob by PAM account configuration [preauth] I am using Debian GNU/Linux 8 (jessie) and kernel 3.16.7-ckt20-1+deb8u4. I have the exact same configuration set on CentOS 6 and 7, Ubuntu 14.04 and 16.04, and Fedora 24. Only observed this issue on Debian 8.3.