What does getent passwd mahdavif give to you? Also whatis your settings in /etc/nsswitch.conf
On Mon, 23 Jul 2018 at 17:19, Farshid Mahdavipour <[email protected]> wrote: > thanks Jacob, > I set the log level to 6 in sssd.conf. here is the result: > > [root@azrclchefvm01 ~]# tail /var/log/sssd/* > > ==> /var/log/sssd/gpo_child.log <== > > (Mon Jul 23 13:50:58 2018) [[sssd[gpo_child[69656]]]] [main] (0x0020): > gpo_child failed! > > (Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888]]]] [main] (0x0400): > gpo_child started. > > (Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888]]]] [main] (0x0400): > context initialized > > (Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888]]]] [unpack_buffer] > (0x0400): cached_gpt_version: -1 > > (Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888]]]] [main] (0x0400): > performing smb operations > > (Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888]]]] > [copy_smb_file_to_gpo_cache] (0x0400): smb_uri: smb://srv_addcp001/SysVol/ > corp.example.com/Policies/{58C277F6-1C0E-4357-BFC7-47D7FC679B19}/GPT.INI > <http://corp.example.com/Policies/%7B58C277F6-1C0E-4357-BFC7-47D7FC679B19%7D/GPT.INI> > > (Mon Jul 23 14:25:37 2018) [[sssd[gpo_child[70888]]]] > [copy_smb_file_to_gpo_cache] (0x0020): smbc_getFunctionOpen failed > [13][Permission denied] > > (Mon Jul 23 14:25:37 2018) [[sssd[gpo_child[70888]]]] > [perform_smb_operations] (0x0020): copy_smb_file_to_gpo_cache failed > [13][Permission denied] > > (Mon Jul 23 14:25:37 2018) [[sssd[gpo_child[70888]]]] [main] (0x0020): > perform_smb_operations failed.[13][Permission denied]. > > (Mon Jul 23 14:25:37 2018) [[sssd[gpo_child[70888]]]] [main] (0x0020): > gpo_child failed! > > > > ==> /var/log/sssd/krb5_child.log <== > > (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] > [set_canonicalize_option] (0x0100): Canonicalization is set to [true] > > (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [main] (0x0400): > Will perform online auth > > (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [CORP.example.COM] > > (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [validate_tgt] > (0x0400): TGT verified using key for [[email protected]]. > > (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [sss_send_pac] > (0x0040): sss_pac_make_request failed [-1][2]. > > (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [validate_tgt] > (0x0040): sss_send_pac failed, group membership for user with principal > [MAHDAVIF\@[email protected]] might not be correct. > > (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [switch_creds] > (0x0200): Switch user to [39599][59900]. > > (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [switch_creds] > (0x0200): Already user [39599]. > > (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [k5c_send_data] > (0x0200): Received error code 0 > > (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [main] (0x0400): > krb5_child completed successfully > > > > ==> /var/log/sssd/ldap_child.log <== > > (Mon Jul 23 14:24:48 2018) [[sssd[ldap_child[70845]]]] [prepare_response] > (0x0400): Building response for result [0] > > (Mon Jul 23 14:24:48 2018) [[sssd[ldap_child[70845]]]] [main] (0x0400): > ldap_child completed successfully > > (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [main] (0x0400): > ldap_child started. > > (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [unpack_buffer] > (0x0200): Will run as [0][0]. > > (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [become_user] > (0x0200): Trying to become user [0][0]. > > (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [become_user] > (0x0200): Already user [0]. > > (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] > [ldap_child_get_tgt_sync] (0x0100): Principal name is: [AZRCLCHEFVM01$@ > CORP.example.COM] > > (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] > [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] > > (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [prepare_response] > (0x0400): Building response for result [0] > > (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [main] (0x0400): > ldap_child completed successfully > > > > ==> /var/log/sssd/sssd_corp.example.com.log <== > > (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] > (0x0100): user: [email protected] > > (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] > (0x0100): service: sshd > > (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] > (0x0100): tty: ssh > > (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] > (0x0100): ruser: > > (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] > (0x0100): rhost: 172.17.253.11 > > (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] > (0x0100): authtok type: 0 > > (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] > (0x0100): newauthtok type: 0 > > (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] > (0x0100): priv: 1 > > (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] > (0x0100): cli_pid: 70882 > > (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] > (0x0100): logon name: not set > > > > ==> /var/log/sssd/sssd.log <== > > (Mon Jul 23 14:24:48 2018) [sssd] [sbus_conn_register_path] (0x0400): > Registering object path /org/freedesktop/sssd/monitor with D-Bus connection > > (Mon Jul 23 14:24:48 2018) [sssd] [sbus_opath_hash_add_iface] (0x0400): > Registering interface org.freedesktop.DBus.Properties with path > /org/freedesktop/sssd/monitor > > (Mon Jul 23 14:24:48 2018) [sssd] [sbus_opath_hash_add_iface] (0x0400): > Registering interface org.freedesktop.DBus.Introspectable with path > /org/freedesktop/sssd/monitor > > (Mon Jul 23 14:24:48 2018) [sssd] [client_registration] (0x0100): Received > ID registration: (pam,1) > > (Mon Jul 23 14:24:48 2018) [sssd] [mark_service_as_started] (0x0200): > Marking pam as started. > > (Mon Jul 23 14:24:48 2018) [sssd] [client_registration] (0x0100): Received > ID registration: (nss,1) > > (Mon Jul 23 14:24:48 2018) [sssd] [mark_service_as_started] (0x0200): > Marking nss as started. > > (Mon Jul 23 14:24:48 2018) [sssd] [mark_service_as_started] (0x0400): All > services have successfully started, creating pid file > > (Mon Jul 23 14:24:48 2018) [sssd] [notify_startup] (0x0400): Sending > startup notification to systemd > > (Mon Jul 23 14:24:53 2018) [sssd] [services_startup_timeout] (0x0400): > Handling timeout > > > > ==> /var/log/sssd/sssd_nss.log <== > > (Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): > CR #4: Checking negative cache for [[email protected]] > > (Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): > CR #4: [[email protected]] is not present in negative > cache > > (Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): > CR #4: Looking up [[email protected]] in cache > > (Mon Jul 23 14:25:37 2018) [sssd[nss]] > [sysdb_get_user_members_recursively] (0x0400): No such entry > > (Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_search_send] (0x0400): > CR #4: Returning [[email protected]] from cache > > (Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_search_ncache_filter] > (0x0400): CR #4: This request type does not support filtering result by > negative cache > > (Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_create_and_add_result] > (0x0400): CR #4: Found 1 entries in domain corp.example.com > > (Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_done] (0x0400): CR #4: > Finished: Success > > (Mon Jul 23 14:25:37 2018) [sssd[nss]] [client_recv] (0x0200): Client > disconnected! > > (Mon Jul 23 14:25:37 2018) [sssd[nss]] [client_recv] (0x0200): Client > disconnected! > > > > ==> /var/log/sssd/sssd_pam.log <== > > (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok type: 0 > > (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 > > (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 70882 > > (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_print_data] (0x0100): logon > name: mahdavif > > (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_dom_forwarder] (0x0100): > pam_dp_send_req returned 0 > > (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200): > received: [0 (Success)][corp.example.com] > > (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply > called with result [0]: Success. > > (Mon Jul 23 14:25:37 2018) [sssd[pam]] [filter_responses] (0x0100): > [pam_response_filter] not available, not fatal. > > (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 32 > > (Mon Jul 23 14:25:37 2018) [sssd[pam]] [client_recv] (0x0200): Client > disconnected! > > > On Mon, Jul 23, 2018 at 1:15 AM, Jakub Hrozek <[email protected]> wrote: > >> >> >> > On 22 Jul 2018, at 22:47, Farshid Mahdavipour <[email protected]> >> wrote: >> > >> > Hi, >> > >> > I have configured sssd.service to authenticate to AD on RHEL 7.5 and i >> have successfully joined the rhel machine to AD. >> > but i cannot login to the machine with the AD account. >> > >> > here is the error when i try to login with the AD credential: >> > [email protected]'s password: >> > Last login: Sun Jul 22 18:59:23 2018 from 172.17.253.11 >> > This account is currently not available. >> >> I honestly don’t know without logs, see e.g. >> https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html >> >> > Connection to 172.17.248.71 closed. >> > >> > here is the sssd.conf: >> > # cat /etc/sssd/sssd.conf >> > ad_server = srv_addcp001, srv_addcp002 >> > [sssd] >> > domains = corp.example.com >> > config_file_version = 2 >> > services = nss, pam >> > [domain/corp.example.com] >> > ad_domain = corp.example.com >> > krb5_realm = CORP.example.com >> > krb5_auth_timeout = 60 >> > realmd_tags = manages-system joined-with-adcli >> > cache_credentials = True >> > id_provider = ad >> > krb5_store_password_if_offline = True >> > default_shell = /bin/bash >> > override_shell = /bin/bash >> > ldap_id_mapping = False >> > use_fully_qualified_names = False >> > fallback_homedir = /home/%u@%d >> > access_provider = ad >> > ad_server = srv_addcp001, srv_addcp002 >> > >> > here is the output of the realm list: >> > # realm list >> > corp.example.com >> > type: kerberos >> > realm-name: CORP.example.com >> > domain-name: corp.example.com >> > configured: kerberos-member >> > server-software: active-directory >> > client-software: sssd >> > required-package: oddjob >> > required-package: oddjob-mkhomedir >> > required-package: sssd >> > required-package: adcli >> > required-package: samba-common-tools >> > login-formats: %U >> > login-policy: allow-realm-logins >> > >> > This is the /var/log/secure when trying to login : >> > Jul 22 17:13:05 azrlvm003 sshd[7202]: pam_sss(sshd:auth): >> authentication success; logname= uid=0 euid=0 tty=ssh ruser= >> rhost=172.17.253.11 user=mahdavif >> > Jul 22 17:13:05 azrlvm003 sshd[7202]: Accepted password for mahdavif >> from 172.17.253.11 port 41628 ssh2 >> > Jul 22 17:13:06 azrlvm003 sshd[7202]: pam_unix(sshd:session): session >> opened for user mahdavif by (uid=0) >> > Jul 22 17:13:06 azrlvm003 sshd[7209]: Received disconnect from >> 172.17.253.11 port 41628:11: disconnected by user >> > Jul 22 17:13:06 azrlvm003 sshd[7209]: Disconnected from 172.17.253.11 >> port 41628 >> > Jul 22 17:13:06 azrlvm003 sshd[7202]: pam_unix(sshd:session): session >> closed for user mahdavif >> >> And here pam_sss is not even called, but the user seems to be found by >> pam_unix. This might indicate that the user is also present in the >> passwd/group files which is not recommended. >> >> > >> > sssd --version >> > 1.16.0 >> > >> > I really appreciate if you can help me. >> > Thanks >> > Farshid >> > _______________________________________________ >> > sssd-users mailing list -- [email protected] >> > To unsubscribe send an email to [email protected] >> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> https://lists.fedoraproject.org/archives/list/[email protected]/message/DFHOAB3FDTP5YTUZAZPUUNHOUN3YNVCM/ >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/[email protected]/message/ISBQ3ZJWQOPEKQJNYPZDPFB5AAKDVUNN/ >> > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected]/message/BENJOHNSU6E4A3HEOKXOM3AYX5DYVAIW/ >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
