I’ve been testing sssd with realmd to connect to Active Directory (on Windows 2012 R2). I’ve managed to get most of the functionality working OK, including GPO filters to manage user access.
However, when the user fails to log in due to GPO rules, it doesn’t give any meaningful message, it just drops the SSH connection – e.g. [~]$ ssh bob@jr-centos bob@jr-centos's password: Connection closed by 192.168.56.11 [~]$ The target host logs this in /var/log/secure: Jan 12 11:20:41 jr-centos sshd[2892]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=[REDACTED] user=bob Jan 12 11:20:41 jr-centos sshd[2892]: pam_sss(sshd:account): Access denied for user bob: 6 (Permission denied) Jan 12 11:20:41 jr-centos sshd[2892]: Failed password for bob from 192.168.56.98 port 45070 ssh2 Jan 12 11:20:41 jr-centos sshd[2892]: fatal: Access denied for user bob by PAM account configuration [preauth] Operating system is Centos 7.3.1611. SSSD software versions: [root@jr-centos tmp]# rpm -qa | grep sssd sssd-common-pac-1.14.0-43.el7_3.4.x86_64 sssd-krb5-common-1.14.0-43.el7_3.4.x86_64 sssd-krb5-1.14.0-43.el7_3.4.x86_64 sssd-ad-1.14.0-43.el7_3.4.x86_64 sssd-client-1.14.0-43.el7_3.4.x86_64 sssd-common-1.14.0-43.el7_3.4.x86_64 To be clear, the configuration is working fine, I don’t expect bob to get access to the jr-centos server and I can get user “bob” to log in if I add him to the relevant AD group. However, the abrupt SSH disconnection is not very user friendly and something like “Access denied due to policy” or whatever would be more useful. Is the lack of useful (any) message due to something in my environment, or does this require a feature request/improvement? John Riddoch
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
