On Wed, Mar 21, 2018 at 10:30 AM, Sumit Bose <sb...@redhat.com> wrote: > On Wed, Mar 21, 2018 at 07:08:42AM -0700, Richard Sharpe wrote: >> On Wed, Mar 21, 2018 at 1:26 AM, Sumit Bose <sb...@redhat.com> wrote: >> > On Tue, Mar 20, 2018 at 06:17:11PM -0700, Richard Sharpe wrote: >> >> On Tue, Mar 20, 2018 at 1:16 AM, Sumit Bose <sb...@redhat.com> wrote: >> >> > On Mon, Mar 19, 2018 at 04:45:12PM -0700, Richard Sharpe wrote: >> >> >> Hi folks, >> >> >> >> >> >> It seems that once we are joined to a domain, ssh logins with local >> >> >> accounts no longer work. When we unjoin from the domain, they start >> >> >> working again. >> >> >> >> >> >> When not joined to a domain our sssd.conf file looks like this: >> >> >> >> >> >> [sssd] >> >> >> services = nss, pac >> >> >> domains = >> >> >> config_file_version = 2 >> >> >> >> >> >> When joined to a domain, our sssd.conf file looks like this: >> >> >> >> >> >> [sssd] >> >> >> services = nss, pac >> >> >> domains = win.ad.test >> >> >> config_file_version = 2 >> >> >> >> >> >> [domain/win.ad.test] >> >> >> ad_domain = win.ad.test >> >> >> krb5_realm = WIN.AD.TEST >> >> >> realmd_tags = manages-system joined-with-samba >> >> >> cache_credentials = True >> >> >> id_provider = ad >> >> >> default_shell = /bin/bash >> >> >> ldap_sasl_authid = PD00050568C6FE8$ >> >> >> ldap_id_mapping = False >> >> >> use_fully_qualified_names = True >> >> >> fallback_homedir = /home/%u@%d >> >> >> access_provider = ad >> >> >> ad_hostname = PD00050568C6FE8.win.ad.test >> >> >> dyndns_update = False >> >> >> ldap_schema = rfc2307bis >> >> >> ------------------------------- >> >> >> >> >> >> Does anyone have any ideas on how to allow local ssh logins when >> >> >> joined to a domain? >> >> > >> >> > How does your PAM configuration (e.g. /etc/pam.d/sshd and all included >> >> > files) look like? >> >> >> >> What I now know after running sshd with -ddd is this: >> >> >> >> --------- >> >> debug3: monitor_read: checking request 12^M^M >> >> debug3: PAM: sshpam_passwd_conv called with 1 messages^M^M >> >> debug1: PAM: password authentication failed for special2: >> >> Authentication failure^M^M >> >> debug3: mm_answer_authpassword: sending result 0^M^M >> >> debug3: mm_request_send entering: type 13^M^M >> >> Failed password for special2 from ::1 port 39826 ssh2^M^M >> >> debug3: mm_auth_password: user not authenticated [preauth]^M^M >> >> --------- >> >> >> >> When not joined to a domain, we see: >> >> >> >> --------- >> >> debug3: mm_request_receive entering^M^M >> >> debug3: monitor_read: checking request 12^M^M >> >> debug3: PAM: sshpam_passwd_conv called with 1 messages^M^M >> >> debug1: PAM: password authentication accepted for special2^M^M >> >> debug3: mm_answer_authpassword: sending result 1^M^M >> >> debug3: mm_request_send entering: type 13^M^M >> >> debug3: mm_request_receive_expect entering: type 102^M^M >> >> debug3: mm_request_receive entering^M^M >> >> ---------- >> >> >> >> So, now I need to debug PAM, but can't seem find anything good on how >> >> to do that. >> > >> > How does /etc/pam.d/password-auth looks like? >> > >> > I would suggest to check the PAM messages in /var/log/secure or in the >> > journalctl output to see which PAM module returns the error. For local >> > users only pam_unix should be involved. >> >> Well, this is all journalctl shows at the moment: >> >> Mar 21 14:02:58 >> richardsha-dd1-protocols-190318203132495.lab.primarydata.com >> sshd[3438]: Failed password for special2 from ::1 port 39646 ssh2 > > I can see this type of error messages only if I remove 'UsePAM yes' from > /etc/ssh/sshd_config. With this option I get messages like: > > Mär 21 18:26:08 ipaserver.rhel74.devel unix_chkpwd[7421]: password check > failed for user (testuser) > Mär 21 18:26:08 ipaserver.rhel74.devel sshd[7420]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 > user=testuser > Mär 21 18:26:08 ipaserver.rhel74.devel sshd[7420]: pam_sss(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 > user=testuser > Mär 21 18:26:08 ipaserver.rhel74.devel sshd[7420]: pam_sss(sshd:auth): > received for user testuser: 10 (User not known to the underlying > authentication module) > Mär 21 18:26:10 ipaserver.rhel74.devel sshd[7418]: error: PAM: Authentication > failure for testuser from ::1
After a lot of digging, I have found: 1. We have not changes UsePAM to no. It is still at UsePam Yes. 2. The /etc/pam.d/* files are stock standard, 3. However. Unknown to me we have a modified version of pam_unix.so. The changes that are made to /etc/pam.d/password-auth-ac when we use realm join (I assume) are causing the problem. We do not need to enable domain-based logins via ssh, so is there some way to stop authconfig or whatever it is from rewriting /etc/pam.d/passwrord-auth-ac? -- Regards, Richard Sharpe (何以解憂?唯有杜康。--曹操) _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
