Hi all,
I'm facing some problems with connecting AD user to Linux host via ssh.
I already configure the trust between IPA server and AD.
I create an external group "grp_dba" to point on AD group
I create a posix group "admindba" that contain the external group
I create a HBAC rule "allow_dba" to allow the group to access the host.
I did an HBAC test and it tells me that the access is granted to the user. On the Client host, id, getent and even su work. but I still can't do an ssh!
Can you please guide me?
Thank you in advance.
Here some commands that I used and logs
----------
on IPA server :
[root@idm01 ~]# ipa
group-show admindba
Group name: admindba
GID: 336200005
Member groups: grp_dba
Member
of HBAC rule: allow_dba
[root@idm01 ~]# ipa
hbactest --user=admin_dba01@dz.corp --host=zabbix.linux.dz.corp
--service=sshd
--------------------
Access granted:
True
--------------------
Matched rules: allow_dba
On Client host :
[root@zabbix ~]# id
admin_dba01@dz.corp
uid=1790001108(admin_dba01@dz.corp)
gid=1790001108(admin_dba01@dz.corp)
groups=1790001108(admin_dba01@dz.corp),1790000513(domain
users@dz.corp),336200005(admindba),1790001107(grp_dba@dz.corp)
[root@zabbix ~]#
geten admin_dba01@dz.corp
getenforce getent
[root@zabbix ~]#
getent passwd
admin_dba01@dz.corp
admin_dba01@dz.corp:*:1790001108:1790001108:admin_dba01:/home/dz.corp/admin_dba01:
[root@zabbix ~]#
getent group admin_dba01@dz.corp
admin_dba01@dz.corp:*:1790001108:
[root@zabbix ~]# su
- admin_dba01@dz.corp
Last login: Mon Feb 1 16:57:39
CET 2021 on pts/1
[admin_dba01@dz.corp@zabbix ~]$
logout
[root@zabbix ~]#
[root@zabbix ~]# journalctl -e
Feb 01 19:32:33
zabbix.linux.dz.corp systemd[1]: Starting SSSD Kerberos Cache
Manager...
Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]:
Started SSSD Kerberos Cache Manager.
Feb 01 19:32:33
zabbix.linux.dz.corp sssd[kcm][17086]: Starting up
Feb 01
19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]:
Ticket not yet valid
Feb 01 19:32:33 zabbix.linux.dz.corp
[sssd[krb5_child[17083]]][17083]: Ticket not yet valid
Feb 01
19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]:
Ticket not yet valid
Feb 01 19:32:33 zabbix.linux.dz.corp
[sssd[krb5_child[17087]]][17087]: Ticket not yet valid
Feb 01
19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.122.1 user=admin_dba01@dz.corp
Feb 01 19:32:33
zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth): received for
user admin_dba01@dz.corp: 6 (Permission denied)
Feb 01 19:32:35
zabbix.linux.dz.corp sshd[17076]: error: PAM: Authentication failure
for admin_dba01@dz.corp from 192.168.122.1
Feb 01 19:32:35
zabbix.linux.dz.corp sshd[17076]: Postponed keyboard-interactive for
admin_dba01@dz.corp from 192.168.122.1 port 43908 ssh2 [preauth]
Feb
01 19:32:36 zabbix.linux.dz.corp sshd[17076]: Connection closed by
authenticating user admin_dba01@dz.corp 192.168.122.1 port 43908
[preauth]
-------
Best regards,