[root@azrclchefvm01 ~]# tail /var/log/sssd/*
==> /var/log/sssd/gpo_child.log <==
(Mon Jul 23 13:50:58 2018) [[sssd[gpo_child[69656]]]] [main] (0x0020): gpo_child failed!
(Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888]]]] [main] (0x0400): gpo_child started.
(Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888]]]] [main] (0x0400): context initialized
(Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888]]]] [unpack_buffer] (0x0400): cached_gpt_version: -1
(Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888]]]] [main] (0x0400): performing smb operations
(Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888]]]] [copy_smb_file_to_gpo_cache] (0x0400): smb_uri: smb://srv_addcp001/SysVol/corp.example.com/Policies/{58C277F6-1C0E-4357-BFC7-47D7FC679B19}/GPT.INI
(Mon Jul 23 14:25:37 2018) [[sssd[gpo_child[70888]]]] [copy_smb_file_to_gpo_cache] (0x0020): smbc_getFunctionOpen failed [13][Permission denied]
(Mon Jul 23 14:25:37 2018) [[sssd[gpo_child[70888]]]] [perform_smb_operations] (0x0020): copy_smb_file_to_gpo_cache failed [13][Permission denied]
(Mon Jul 23 14:25:37 2018) [[sssd[gpo_child[70888]]]] [main] (0x0020): perform_smb_operations failed.[13][Permission denied].
(Mon Jul 23 14:25:37 2018) [[sssd[gpo_child[70888]]]] [main] (0x0020): gpo_child failed!
==> /var/log/sssd/krb5_child.log <==
(Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
(Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [main] (0x0400): Will perform online auth
(Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [CORP.example.COM]
(Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [validate_tgt] (0x0400): TGT verified using key for [AZRCLCHEFVM01$@CORP.example.COM].
(Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].
(Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [MAHDAVIF\@CORP.example.COM@CORP.example.COM] might not be correct.
(Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [switch_creds] (0x0200): Switch user to [39599][59900].
(Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [switch_creds] (0x0200): Already user [39599].
(Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [k5c_send_data] (0x0200): Received error code 0
(Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887]]]] [main] (0x0400): krb5_child completed successfully
==> /var/log/sssd/ldap_child.log <==
(Mon Jul 23 14:24:48 2018) [[sssd[ldap_child[70845]]]] [prepare_response] (0x0400): Building response for result [0]
(Mon Jul 23 14:24:48 2018) [[sssd[ldap_child[70845]]]] [main] (0x0400): ldap_child completed successfully
(Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [main] (0x0400): ldap_child started.
(Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [unpack_buffer] (0x0200): Will run as [0][0].
(Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [become_user] (0x0200): Trying to become user [0][0].
(Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [become_user] (0x0200): Already user [0].
(Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [AZRCLCHEFVM01$@CORP.example.COM]
(Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
(Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [prepare_response] (0x0400): Building response for result [0]
(Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886]]]] [main] (0x0400): ldap_child completed successfully
==> /var/log/sssd/sssd_corp.example.com.log <==
(Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] (0x0100): user: MAHDAVIF@corp.example.com
(Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] (0x0100): service: sshd
(Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] (0x0100): tty: ssh
(Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] (0x0100): ruser:
(Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] (0x0100): rhost: 172.17.253.11
(Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] (0x0100): authtok type: 0
(Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] (0x0100): priv: 1
(Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] (0x0100): cli_pid: 70882
(Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data] (0x0100): logon name: not set
==> /var/log/sssd/sssd.log <==
(Mon Jul 23 14:24:48 2018) [sssd] [sbus_conn_register_path] (0x0400): Registering object path /org/freedesktop/sssd/monitor with D-Bus connection
(Mon Jul 23 14:24:48 2018) [sssd] [sbus_opath_hash_add_iface] (0x0400): Registering interface org.freedesktop.DBus.Properties with path /org/freedesktop/sssd/monitor
(Mon Jul 23 14:24:48 2018) [sssd] [sbus_opath_hash_add_iface] (0x0400): Registering interface org.freedesktop.DBus.Introspectable with path /org/freedesktop/sssd/monitor
(Mon Jul 23 14:24:48 2018) [sssd] [client_registration] (0x0100): Received ID registration: (pam,1)
(Mon Jul 23 14:24:48 2018) [sssd] [mark_service_as_started] (0x0200): Marking pam as started.
(Mon Jul 23 14:24:48 2018) [sssd] [client_registration] (0x0100): Received ID registration: (nss,1)
(Mon Jul 23 14:24:48 2018) [sssd] [mark_service_as_started] (0x0200): Marking nss as started.
(Mon Jul 23 14:24:48 2018) [sssd] [mark_service_as_started] (0x0400): All services have successfully started, creating pid file
(Mon Jul 23 14:24:48 2018) [sssd] [notify_startup] (0x0400): Sending startup notification to systemd
(Mon Jul 23 14:24:53 2018) [sssd] [services_startup_timeout] (0x0400): Handling timeout
==> /var/log/sssd/sssd_nss.log <==
(Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #4: Checking negative cache for [grp-linux-admins@corp.example.com]
(Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #4: [grp-linux-admins@corp.example.com] is not present in negative cache
(Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #4: Looking up [grp-linux-admins@corp.example.com] in cache
(Mon Jul 23 14:25:37 2018) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #4: Returning [grp-linux-admins@corp.example.com] from cache
(Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #4: This request type does not support filtering result by negative cache
(Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_create_and_add_result] (0x0400): CR #4: Found 1 entries in domain corp.example.com
(Mon Jul 23 14:25:37 2018) [sssd[nss]] [cache_req_done] (0x0400): CR #4: Finished: Success
(Mon Jul 23 14:25:37 2018) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Mon Jul 23 14:25:37 2018) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
==> /var/log/sssd/sssd_pam.log <==
(Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 70882
(Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_print_data] (0x0100): logon name: mahdavif
(Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][corp.example.com]
(Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Mon Jul 23 14:25:37 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 32
(Mon Jul 23 14:25:37 2018) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
> On 22 Jul 2018, at 22:47, Farshid Mahdavipour <farchide@gmail.com> wrote:
>
> Hi,
>
> I have configured sssd.service to authenticate to AD on RHEL 7.5 and i have successfully joined the rhel machine to AD.
> but i cannot login to the machine with the AD account.
>
> here is the error when i try to login with the AD credential:
> mahdavif@172.17.248.71's password:
> Last login: Sun Jul 22 18:59:23 2018 from 172.17.253.11
> This account is currently not available.
I honestly don’t know without logs, see e.g. https://docs.pagure.org/SSSD.sssd/users/troubleshooting. html
And here pam_sss is not even called, but the user seems to be found by pam_unix. This might indicate that the user is also present in the passwd/group files which is not recommended.
> Connection to 172.17.248.71 closed.
>
> here is the sssd.conf:
> # cat /etc/sssd/sssd.conf
> ad_server = srv_addcp001, srv_addcp002
> [sssd]
> domains = corp.example.com
> config_file_version = 2
> services = nss, pam
> [domain/corp.example.com]
> ad_domain = corp.example.com
> krb5_realm = CORP.example.com
> krb5_auth_timeout = 60
> realmd_tags = manages-system joined-with-adcli
> cache_credentials = True
> id_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> override_shell = /bin/bash
> ldap_id_mapping = False
> use_fully_qualified_names = False
> fallback_homedir = /home/%u@%d
> access_provider = ad
> ad_server = srv_addcp001, srv_addcp002
>
> here is the output of the realm list:
> # realm list
> corp.example.com
> type: kerberos
> realm-name: CORP.example.com
> domain-name: corp.example.com
> configured: kerberos-member
> server-software: active-directory
> client-software: sssd
> required-package: oddjob
> required-package: oddjob-mkhomedir
> required-package: sssd
> required-package: adcli
> required-package: samba-common-tools
> login-formats: %U
> login-policy: allow-realm-logins
>
> This is the /var/log/secure when trying to login :
> Jul 22 17:13:05 azrlvm003 sshd[7202]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.17.253.11 user=mahdavif
> Jul 22 17:13:05 azrlvm003 sshd[7202]: Accepted password for mahdavif from 172.17.253.11 port 41628 ssh2
> Jul 22 17:13:06 azrlvm003 sshd[7202]: pam_unix(sshd:session): session opened for user mahdavif by (uid=0)
> Jul 22 17:13:06 azrlvm003 sshd[7209]: Received disconnect from 172.17.253.11 port 41628:11: disconnected by user
> Jul 22 17:13:06 azrlvm003 sshd[7209]: Disconnected from 172.17.253.11 port 41628
> Jul 22 17:13:06 azrlvm003 sshd[7202]: pam_unix(sshd:session): session closed for user mahdavif
>
> sssd --version
> 1.16.0
>
> I really appreciate if you can help me.
> Thanks
> Farshid
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@ lists.fedorahosted.org/ message/ DFHOAB3FDTP5YTUZAZPUUNHOUN3YNV CM/
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@ lists.fedorahosted.org/ message/ ISBQ3ZJWQOPEKQJNYPZDPFB5AAKDVU NN/