Hello, I've set up a one-way trust to an Active Directory domain. Things seem to roughly work, but something's missing.
Can any kind soul spot a problem with my configuration, or advise on how to further troubleshoot? Facts: - An AD user gets 'Access denied' when SSH'ing by password to the FreeIPA host. This is my concern. - This AD user has not been locked out. - getent passwd succeeds for the AD user - A FreeIPA user can successfully SSH by password to the same FreeIPA host. - That FreeIPA user can then successfully kinit as the AD user (the same AD user denied above) - HBAC is set to the default allow_all rule, which is enabled. Running the HBAC Test tool on the AD user confirms that they are authorized for sshd. This tells me something is awry in sssd.conf or sshd_config or pam.d or HBAC. Thanks, Erik I've got sssd debug to 9. Here's some output: (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_fo_reset_svc] (0x1000): Resetting all servers in service na.bazzlegroup.com (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'na.bazzlegroup.com' as 'neutra l' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [set_server_common_status] (0x0100): Marking server 'deda9w1004.na.bazzlegroup.com' as 'name not resolved' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'deda9w1004.na.bazzlegroup.com' as 'neutral' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'deda9w1004.na.bazzlegrou p.com' as 'neutral' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'na.bazzlegroup.com' as 'neutra l' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [set_server_common_status] (0x0100): Marking server 'usbe9w2003.na.bazzlegroup.com' as 'name not resolved' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'usbe9w2003.na.bazzlegroup.com' as 'neutral' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'usbe9w2003.na.bazzlegrou p.com' as 'neutral' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com offline (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_mark_subdom_offline] (0x4000): Subdomain already inactive (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: [1432158262]: Subdoma in is inactive. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: 1432158262 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ipa_account_info_error_text] (0x0020): Bug: dp_error is OK on failed request (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158262,Account info lookup f ailed (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f3bf48f92c0 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [sbus_dispatch] (0x4000): Dispatching. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamH andler on path /org/freedesktop/sssd/dataprovider (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_req_set_domain] (0x0400): Changing request domain from [platform.schlitz] to [na.bazzlegroup.com] (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_pam_handler] (0x0100): Got request with the following data (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): domain: na.bazzlegroup.com (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): user: [email protected] (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): service: sshd (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): tty: ssh (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): ruser: (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): rhost: 172.27.246.142 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): authtok type: 1 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): priv: 1 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): cli_pid: 9864 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): logon name: not set (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [[email protected]] is empty, ru nning request [0x7f3bf4928fb0] immediately. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [krb5_setup] (0x4000): No mapping for: [email protected] (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f3bf48ff0a0 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f3bf498a870 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Running timer event 0x7f3bf48ff0a0 "ltdb_callback" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Destroying timer event 0x7f3bf498a870 "ltdb_timeout" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Ending timer event 0x7f3bf48ff0a0 "ltdb_callback" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [get_server_status] (0x1000): Status of server 'ipafour.platform.schlitz' is 'working' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [get_port_status] (0x1000): Port status of port 0 for server 'ipafour.platform.schlitz' i s 'working' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [get_server_status] (0x1000): Status of server 'ipafour.platform.schlitz' is 'working' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_resolve_server_process] (0x0200): Found address for server ipafour.platform.schlitz: [172.30.8.119] TTL 7200 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://ipafour.platform.schlitz' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [krb5_auth_resolve_done] (0x2000): Subdomain na.bazzlegroup.com is inactive, will proceed off line (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [9892] (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [9892] (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [child_sig_handler] (0x1000): Waiting for child [9892]. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [child_sig_handler] (0x0100): child [9892] finished successfully. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [parse_krb5_child_response] (0x1000): child response [0][3][40]. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_WORKING. Called from: src/providers/ krb5/krb5_auth.c: krb5_auth_done: 1039 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'ipafour.platform.schlitz' as 'wo rking' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [set_server_common_status] (0x0100): Marking server 'ipafour.platform.schlitz' as 'workin g' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'ipafour.platform.infochim ps' as 'working' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [krb5_mod_ccname] (0x4000): Save ccname [KEYRING:persistent:456139433] for user [MRFUN@na. bazzlegroup.com]. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f3bf498c360 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f3bf498c420 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Running timer event 0x7f3bf498c360 "ltdb_callback" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Destroying timer event 0x7f3bf498c420 "ltdb_timeout" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Ending timer event 0x7f3bf498c360 "ltdb_callback" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f3bf498c130 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f3bf491f660 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Running timer event 0x7f3bf498c130 "ltdb_callback" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Destroying timer event 0x7f3bf491f660 "ltdb_timeout" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Ending timer event 0x7f3bf498c130 "ltdb_callback" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [sysdb_cache_auth] (0x4000): Offline credentials expiration is [0] days. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [check_failed_login_attempts] (0x4000): Failed login attempts [0], allowed failed login atte mpts [0], failed login delay [5]. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [sysdb_cache_auth] (0x0100): Cached credentials not available. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): cancel ldb transaction (nesting: 0) (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [krb5_auth_cache_creds] (0x0020): Offline authentication failed (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [check_wait_queue] (0x1000): Wait queue for user [[email protected]] is empty. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f3bf4928fb0] done. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success (Permission de nied)] (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_pam_handler_callback] (0x0100): Sending result [6][na.bazzlegroup.com] (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_pam_handler_callback] (0x0100): Sent result [6][na.bazzlegroup.com] My sssd.conf: [domain/platform.schlitz] debug_level = 9 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = platform.schlitz id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipafour.platform.schlitz chpass_provider = ipa ipa_server = ipafour.platform.schlitz ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt subdomains_provider = ipa [sssd] services = nss, sudo, pam, ssh, pac config_file_version = 2 debug_level = 9 domains = platform.schlitz [nss] memcache_timeout = 600 homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] sshd_config: HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTHPRIV PasswordAuthentication yes ChallengeResponseAuthentication yes GSSAPICleanupCredentials no X11Forwarding yes UsePrivilegeSeparation sandbox # Default for new installations. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS Subsystem sftp /usr/libexec/openssh/sftp-server KerberosAuthentication no PubkeyAuthentication yes UsePAM yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody GSSAPIAuthentication yes /etc/pam.d/sshd auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare /etc/pam.d/password-auth: # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
