On (15/01/15 12:57), [email protected] wrote: > >PLatform is RHEL 6 Update 6. > >Relevent RPMS are : > >sssd-ad-1.11.6-30.el6.x86_64 >krb5-workstation-1.10.3-33.el6.x86_64 > >Pam was setup using " authconfig --enablesssd --enablesssdauth >--enablemkhomedir --update" > >I have test users successfully authenticating against a test domain server >with both the test linux RHEL6U6 box and the Windows 2008R2 AD server on >an isolated subnet. > >After I login to the RHEL6U6 box with an AD user via either ssh, or via >the console I cannot run 'su - <username>' to any other user, either AD >based or local password file based. All I get is a 'incorrect password' >error message. That's interesting. Are you able to login with ssh to the machine with two+ users in parallel sessions.
Is there anything interesting in /var/log/secure? I can see you have enabled debugging in domain section. You can filter the most critical message with next grep command. grep -E': grep -E "\(0x00[1-9]0\)" /var/log/sssd/sssd_CORPTEST.LOCAL.log >My sssd.conf: > >[sssd] > config_file_version = 2 > domains = CORPTEST.LOCAL > services = nss, pam > debug_level = 10 > timeout = 300 > >[domain/CORPTEST.LOCAL] > > id_provider = ad > auth_provider = ad > access_provider = ad > > debug_level = 10 > > ldap_id_mapping = False > > default shell = /bin/bash > fallback_homedir = /home/%u > > use_fully_qualified_names = False > > >nsswitch.conf has these lines for passwd, shadow and group: > >passwd: files sss >shadow: files sss >group: files sss > >/etc/pam.d/system-auth-ac (not hand edited at all) > >#%PAM-1.0 ># This file is auto-generated. ># User changes will be destroyed the next time authconfig is run. >auth required pam_env.so >auth sufficient pam_fprintd.so >auth sufficient pam_unix.so nullok try_first_pass >auth requisite pam_succeed_if.so uid >= 500 quiet >auth sufficient pam_sss.so use_first_pass >auth required pam_deny.so > >account required pam_unix.so >account sufficient pam_localuser.so >account sufficient pam_succeed_if.so uid < 500 quiet >account [default=bad success=ok user_unknown=ignore] pam_sss.so >account required pam_permit.so > >password requisite pam_cracklib.so try_first_pass retry=3 minlen=14 >dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 >password sufficient pam_unix.so sha512 shadow nullok try_first_pass >use_authtok >password sufficient pam_sss.so use_authtok >password required pam_deny.so > >session optional pam_keyinit.so revoke >session required pam_limits.so >session optional pam_mkhomedir.so umask=0077 >session [success=1 default=ignore] pam_succeed_if.so service in crond >quiet use_uid >session required pam_unix.so >session optional pam_sss.so > nsswitch.conf and pam stack are configuread corectly. (due to authconfig) >The sssd-ad package in rhel6 update 6 is fairly new and as such I've been >able to find limited web resources about its config directives. > You can read Jakub's blog post. "Enrolling an Active Directory RHEL-6 client machine using adcli" http://jhrozek.livejournal.com/3581.html LS _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
