Hello,

I am facing a very confounding issue with my SSSD/AD integration on CentOS 7. I am configured to use SSSD and Active Directory to authenticate SSH logins. Users use an SSH key stored in an Active Directory attribute to log in, followed by a Duo 2FA prompt. SSH is configured to check the key, then provide the Duo prompt via PAM. About 80% of the time this works correctly. The other 20% of the time, users see a long hang (approx 1-2 minutes) after the Duo prompt, followed by a generic "Authentication failure" error. This with login attempts from the same user, on the same host, logging in to the same server, authenticating against the same AD DC.

I am having a hard time discovering the underlying issue causing this problem. From my sshd logs, the best error I seem to have found is this:

Jan 16 11:33:49 cerberusvm sshd[4201]: debug3: PAM: do_pam_account pam_acct_mgmt = 9 (Authentication service cannot retrieve authentication info) Jan 16 11:33:49 cerberusvm sshd[4201]: debug3: ssh_msg_send: type 13 Jan 16 11:33:49 cerberusvm sshd[4197]: debug3: PAM: User account has expired

Here is my relevant sshd_config:

PasswordAuthentication no PubkeyAuthentication yes # Change to no to disable s/key passwords ChallengeResponseAuthentication yes

AuthenticationMethods publickey,keyboard-interactive AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser root UseDNS no UsePAM yes

# Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes

# GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials no

Here is my current sssd.conf file (I have been frequently experimenting with config changes here. Logins work, but the occasional failure occurs for reasons I cannot determine):

[sssd] domains = mydomain.com config_file_version = 2 services = nss, pam, ssh

[ssh] debug_level = 3

[domain/mydomain.com] debug_level = 3 ad_domain = mydomain.com ad_server = prodad1.mydomain.com ad_hostname = cerberusvm.mydomain.com dyndns_update = false krb5_realm = MYDOMAIN.COM realmd_tags = manages-system joined-with-samba cache_credentials = False krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = ad id_provider = ad auth_provider = ad ldap_user_ssh_public_key = sshPublicKeys

Here is my pam.d/system-auth:

#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so

account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so

session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so

Here is my pam.d/sshd:

#%PAM-1.0 auth required pam_sepermit.so auth required pam_env.so auth sufficient pam_duo.so auth required pam_deny.so auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare

From sssd's side, here is the error I tend to see that does not appear in a log from a working login:

(Wed Jan 16 11:32:20 2019) [sssd[be[mydomain.com]]] [ad_check_gc_usability_search_done] (0x0080): Cannot get isMemberOfPartialAttributeSet(Wed Jan 16 11:32:20 2019) [sssd[be[mydomain.com]]] [ad_check_gc_usability_search_done] (0x0080): Cannot get isMemberOfPartialAttributeSet(Wed Jan 16 11:32:20 2019) [sssd[be[mydomain.com]]] [ad_disable_gc] (0x0040): POSIX attributes were requested but are not present on the server side. Global Catalog lookups will be disabled

I have found this (https://bugzilla.redhat.com/show_bug.cgi?id=1583725) related patch to the above error, but we are running the errata that is supposed to be an upstream fix for it, so I am not sure if this is a new or different issue.

I have sssd_ssh.log, sssd_mydomain.com.log, and sshd logs for both working and non-working login flows and will gladly attach them but do not see a way to do that when creating a thread.

Here is my environment: SSH: OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 SSD 1.16.2 PAM pam-1.1.8-22 duo_unix-1.11.1