It is resolved now.
we had some policies in place to prevent users from login in to systems if they are not part of certain groups.
sssd works fine.

thanks


On Mon, Jul 23, 2018 at 12:07 PM, Jakub Hrozek <jhrozek@redhat.com> wrote:
On Mon, Jul 23, 2018 at 07:33:53AM -0700, Farshid Mahdavipour wrote:
> thanks Jacob,
> I set the log level to 6 in sssd.conf. here is the result:
>
> [root@azrclchefvm01 ~]# tail /var/log/sssd/*
>
> ==> /var/log/sssd/gpo_child.log <==
>
> (Mon Jul 23 13:50:58 2018) [[sssd[gpo_child[69656]]]] [main] (0x0020):
> gpo_child failed!
>
> (Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888]]]] [main] (0x0400):
> gpo_child started.
>
> (Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888]]]] [main] (0x0400):
> context initialized
>
> (Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888]]]] [unpack_buffer]
> (0x0400): cached_gpt_version: -1
>
> (Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888]]]] [main] (0x0400):
> performing smb operations
>
> (Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888]]]]
> [copy_smb_file_to_gpo_cache] (0x0400): smb_uri: smb://srv_addcp001/SysVol/
> corp.example.com/Policies/{58C277F6-1C0E-4357-BFC7-47D7FC679B19}/GPT.INI
>
> (Mon Jul 23 14:25:37 2018) [[sssd[gpo_child[70888]]]]
> [copy_smb_file_to_gpo_cache] (0x0020): smbc_getFunctionOpen failed
> [13][Permission denied]
>
> (Mon Jul 23 14:25:37 2018) [[sssd[gpo_child[70888]]]]
> [perform_smb_operations] (0x0020): copy_smb_file_to_gpo_cache failed
> [13][Permission denied]
>
> (Mon Jul 23 14:25:37 2018) [[sssd[gpo_child[70888]]]] [main] (0x0020):
> perform_smb_operations failed.[13][Permission denied].

Hi Michal, do you have some ideas?

>
> (Mon Jul 23 14:25:37 2018) [[sssd[gpo_child[70888]]]] [main] (0x0020):
> gpo_child failed!
>
>
>
> ==> /var/log/sssd/krb5_child.log <==
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]]
> [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [main] (0x0400):
> Will perform online auth
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [CORP.example.COM]
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [validate_tgt]
> (0x0400): TGT verified using key for [AZRCLCHEFVM01$@CORP.example.COM].
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [sss_send_pac]
> (0x0040): sss_pac_make_request failed [-1][2].
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [validate_tgt]
> (0x0040): sss_send_pac failed, group membership for user with principal
> [MAHDAVIF\@CORP.example.COM@CORP.example.COM] might not be correct.
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [switch_creds]
> (0x0200): Switch user to [39599][59900].
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [switch_creds]
> (0x0200): Already user [39599].
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [k5c_send_data]
> (0x0200): Received error code 0
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [main] (0x0400):
> krb5_child completed successfully
>
>
>
> ==> /var/log/sssd/ldap_child.log <==
>
> (Mon Jul 23 14:24:48 2018) [[sssd[ldap_child[70845]]]] [prepare_response]
> (0x0400): Building response for result [0]
>
> (Mon Jul 23 14:24:48 2018) [[sssd[ldap_child[70845]]]] [main] (0x0400):
> ldap_child completed successfully
>
> (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [main] (0x0400):
> ldap_child started.
>
> (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [unpack_buffer]
> (0x0200): Will run as [0][0].
>
> (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [become_user]
> (0x0200): Trying to become user [0][0].
>
> (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [become_user]
> (0x0200): Already user [0].
>
> (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]]
> [ldap_child_get_tgt_sync] (0x0100): Principal name is: [AZRCLCHEFVM01$@
> CORP.example.COM]
>
> (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]]
> [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
>
> (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [prepare_response]
> (0x0400): Building response for result [0]
>
> (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [main] (0x0400):
> ldap_child completed successfully
>
>
>
> ==> /var/log/sssd/sssd_corp.example.com.log <==
>
> (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data]
> (0x0100): user: MAHDAVIF@corp.example.com
>
> (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data]
> (0x0100): service: sshd
>
> (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data]
> (0x0100): tty: ssh
>
> (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data]
> (0x0100): ruser:
>
> (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data]
> (0x0100): rhost: 172.17.253.11
>
> (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data]
> (0x0100): authtok type: 0
>
> (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data]
> (0x0100): newauthtok type: 0
>
> (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data]
> (0x0100): priv: 1
>
> (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data]
> (0x0100): cli_pid: 70882
>
> (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data]
> (0x0100): logon name: not set
>
>
>
> ==> /var/log/sssd/sssd.log <==
>
> (Mon Jul 23 14:24:48 2018) [sssd] [sbus_conn_register_path] (0x0400):
> Registering object path /org/freedesktop/sssd/monitor with D-Bus connection
>
> (Mon Jul 23 14:24:48 2018) [sssd] [sbus_opath_hash_add_iface] (0x0400):
> Registering interface org.freedesktop.DBus.Properties with path
> /org/freedesktop/sssd/monitor
>
> (Mon Jul 23 14:24:48 2018) [sssd] [sbus_opath_hash_add_iface] (0x0400):
> Registering interface org.freedesktop.DBus.Introspectable with path
> /org/freedesktop/sssd/monitor
>
> (Mon Jul 23 14:24:48 2018) [sssd] [client_registration] (0x0100): Received
> ID registration: (pam,1)
>
> (Mon Jul 23 14:24:48 2018) [sssd] [mark_service_as_started] (0x0200):
> Marking pam as started.
>
> (Mon Jul 23 14:24:48 2018) [sssd] [client_registration] (0x0100): Received
> ID registration: (nss,1)
>
> (Mon Jul 23 14:24:48 2018) [sssd] [mark_service_as_started] (0x0200):
> Marking nss as started.
>
> (Mon Jul 23 14:24:48 2018) [sssd] [mark_service_as_started] (0x0400): All
> services have successfully started, creating pid file
>
> (Mon Jul 23 14:24:48 2018) [sssd] [notify_startup] (0x0400): Sending
> startup notification to systemd
>
> (Mon Jul 23 14:24:53 2018) [sssd] [services_startup_timeout] (0x0400):
> Handling timeout
>
>
>
> ==> /var/log/sssd/sssd_nss.log <==
>
> (Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400):
> CR #4: Checking negative cache for [grp-linux-admins@corp.example.com]
>
> (Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400):
> CR #4: [grp-linux-admins@corp.example.com] is not present in negative cache
>
> (Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_search_cache] (0x0400):
> CR #4: Looking up [grp-linux-admins@corp.example.com] in cache
>
> (Mon Jul 23 14:25:37 2018) [sssd[nss]] [sysdb_get_user_members_recursively]
> (0x0400): No such entry
>
> (Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR
> #4: Returning [grp-linux-admins@corp.example.com] from cache
>
> (Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_search_ncache_filter]
> (0x0400): CR #4: This request type does not support filtering result by
> negative cache
>
> (Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_create_and_add_result]
> (0x0400): CR #4: Found 1 entries in domain corp.example.com
>
> (Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_done] (0x0400): CR #4:
> Finished: Success
>
> (Mon Jul 23 14:25:37 2018) [sssd[nss]] [client_recv] (0x0200): Client
> disconnected!
>
> (Mon Jul 23 14:25:37 2018) [sssd[nss]] [client_recv] (0x0200): Client
> disconnected!
>
>
>
> ==> /var/log/sssd/sssd_pam.log <==
>
> (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_print_data] (0x0100):
> newauthtok type: 0
>
> (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
>
> (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
> 70882
>
> (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_print_data] (0x0100): logon
> name: mahdavif
>
> (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> pam_dp_send_req returned 0
>
> (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200):
> received: [0 (Success)][corp.example.com]
>
> (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> called with result [0]: Success.
>
> (Mon Jul 23 14:25:37 2018) [sssd[pam]] [filter_responses] (0x0100):
> [pam_response_filter] not available, not fatal.
>
> (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 32
>
> (Mon Jul 23 14:25:37 2018) [sssd[pam]] [client_recv] (0x0200): Client
> disconnected!
>
>
> On Mon, Jul 23, 2018 at 1:15 AM, Jakub Hrozek <jhrozek@redhat.com> wrote:
>
> >
> >
> > > On 22 Jul 2018, at 22:47, Farshid Mahdavipour <farchide@gmail.com>
> > wrote:
> > >
> > > Hi,
> > >
> > > I have configured sssd.service to authenticate to AD on RHEL 7.5 and i
> > have successfully joined the rhel machine to AD.
> > > but i cannot login to the machine with the AD account.
> > >
> > > here is the error when i try to login with the AD credential:
> > > mahdavif@172.17.248.71's password:
> > > Last login: Sun Jul 22 18:59:23 2018 from 172.17.253.11
> > > This account is currently not available.
> >
> > I honestly don’t know without logs, see e.g. https://docs.pagure.org/SSSD.
> > sssd/users/troubleshooting.html
> >
> > > Connection to 172.17.248.71 closed.
> > >
> > > here is the sssd.conf:
> > > # cat /etc/sssd/sssd.conf
> > > ad_server = srv_addcp001, srv_addcp002
> > > [sssd]
> > > domains = corp.example.com
> > > config_file_version = 2
> > > services = nss, pam
> > > [domain/corp.example.com]
> > > ad_domain = corp.example.com
> > > krb5_realm = CORP.example.com
> > > krb5_auth_timeout = 60
> > > realmd_tags = manages-system joined-with-adcli
> > > cache_credentials = True
> > > id_provider = ad
> > > krb5_store_password_if_offline = True
> > > default_shell = /bin/bash
> > > override_shell = /bin/bash
> > > ldap_id_mapping = False
> > > use_fully_qualified_names = False
> > > fallback_homedir = /home/%u@%d
> > > access_provider = ad
> > > ad_server = srv_addcp001, srv_addcp002
> > >
> > > here is the output of the realm list:
> > > # realm list
> > > corp.example.com
> > >   type: kerberos
> > >   realm-name: CORP.example.com
> > >   domain-name: corp.example.com
> > >   configured: kerberos-member
> > >   server-software: active-directory
> > >   client-software: sssd
> > >   required-package: oddjob
> > >   required-package: oddjob-mkhomedir
> > >   required-package: sssd
> > >   required-package: adcli
> > >   required-package: samba-common-tools
> > >   login-formats: %U
> > >   login-policy: allow-realm-logins
> > >
> > > This is the /var/log/secure when trying to login :
> > > Jul 22 17:13:05 azrlvm003 sshd[7202]: pam_sss(sshd:auth): authentication
> > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.17.253.11
> > user=mahdavif
> > > Jul 22 17:13:05 azrlvm003 sshd[7202]: Accepted password for mahdavif
> > from 172.17.253.11 port 41628 ssh2
> > > Jul 22 17:13:06 azrlvm003 sshd[7202]: pam_unix(sshd:session): session
> > opened for user mahdavif by (uid=0)
> > > Jul 22 17:13:06 azrlvm003 sshd[7209]: Received disconnect from
> > 172.17.253.11 port 41628:11: disconnected by user
> > > Jul 22 17:13:06 azrlvm003 sshd[7209]: Disconnected from 172.17.253.11
> > port 41628
> > > Jul 22 17:13:06 azrlvm003 sshd[7202]: pam_unix(sshd:session): session
> > closed for user mahdavif
> >
> > And here pam_sss is not even called, but the user seems to be found by
> > pam_unix. This might indicate that the user is also present in the
> > passwd/group files which is not recommended.
> >
> > >
> > > sssd --version
> > > 1.16.0
> > >
> > > I really appreciate if you can help me.
> > > Thanks
> > > Farshid
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > > To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> > lists.fedorahosted.org/message/DFHOAB3FDTP5YTUZAZPUUNHOUN3YNVCM/
> > _______________________________________________
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> > lists.fedorahosted.org/message/ISBQ3ZJWQOPEKQJNYPZDPFB5AAKDVUNN/
> >

> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/BENJOHNSU6E4A3HEOKXOM3AYX5DYVAIW/
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/UJJSBMUXBBIRMHGZUAPDYGSKBCMFDQOW/