Hi Expert,
1. Environment * Windows Server 2012 R2 Active Directory. * sudoRule schema extended * CentOS 7.3 (1611) Client, joined to domain by using realm * selinux -> permissive 2. Configuration file * sssd.conf [sssd] domains = mydomain.com config_file_version = 2 services = nss, pam, sudo
[domain/mydomain.com] ad_domain = mydomain.com krb5_realm = MYDOMAIN.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad ad_gpo_access_control = enforcing
* smb.conf [global] workgroup = SAMBA security = user
passdb backend = tdbsam
printing = cups printcap name = cups load printers = yes cups options = raw
[homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes
[printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No
[print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = root create mask = 0664 directory mask = 0775
* nsswitch.conf passwd: files sss shadow: files sss group: files sss hosts: files dns myhostname bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus sudoers: files sss
3. problem description * after joining the CentOS7 to Active Directory domain , it's not stable that a domain user logon to the machina via ssh. * /var/log/secure show Jul 10 17:37:47 MyIssueMachine sshd[42400]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.150.15 user=MyUser@mydomain.com Jul 10 17:37:47 MyIssueMachine sshd[42400]: pam_sss(sshd:account): Access denied for user MyUser@mydomain.com: 4 (System error) Jul 10 17:37:47 MyIssueMachine sshd[42400]: Failed password for MyUser@mydomain.com from 192.168.150.15 port 51594 ssh2 Jul 10 17:37:47 MyIssueMachine sshd[42400]: fatal: Access denied for user MyUser@mydomain.com by PAM account configuration [preauth] * /var/log/sssd/sssd_pam.log (Mon Jul 10 16:02:24 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][mydomain.com] (Mon Jul 10 16:02:24 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error. (Mon Jul 10 16:02:24 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 30 (Mon Jul 10 16:02:24 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7fe3abac60a0][23] (Mon Jul 10 16:02:24 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7fe3abac60a0][23] (Mon Jul 10 16:02:24 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Mon Jul 10 16:02:24 2017) [sssd[pam]] [client_close_fn] (0x2000): Terminated client [0x7fe3abac60a0][23]
Thanks in advance!