[CentOS] "System error" when trying to logon via SSH to CentOS 8 joined to AD

Tue Mar 30 15:01:50 UTC 2021
Joshua Kramer <joskra42.list at gmail.com>

Hi Konstantin,

Debugging login issues between SSD, PAM, and AD is not for the faint of
heart.  In my case I set up Samba 4.3 as a primary AD DC.  I could login
with Windows 10 guests but not C8.

I just did the following.
1. I spun up a fresh C8 VM, did not add any users, selected a graphical
desktop.
2. I added a new user into my AD domain (the one being served by Samba4)
3. When my VM booted, the "first boot" screen appeared.  As I went through
the steps, when it prompted me to add a user, I clicked on "Configure
Enterprise Login"
4. The system automatically found my domain name.  I entered the
username/password I created.
5. The system prompted for the Domain Admin password, which I entered it.
6. After a few seconds. everything was set up, and I could ssh in to the
box in question using the following (keeping in mind that capitalization is
important, especially when it comes to AD domain names!):

ssh -l joey at MY-DOMAIN.AS authtest-el8

I was able to login using this procedure.  You might try the same thing,
and then compare your pam, sssd, and krb5 config files with the fresh VM
and the VM you are trying to get working.

-JK


On Tue, Mar 30, 2021 at 7:01 AM Konstantin Boyandin via CentOS <
centos at centos.org> wrote:

> Do I understand correctly that this problem
> - is too trivial
> - isn't in fact CentOS-related
> - never happened to anyone else ?
>
> There are no good explanations as far as I see, to such PAM behavior. I
> would appreciate advice on where else to ask about this (the mentioned
> quick fix doesn't look too good).
>
> Thanks.
>
> Sincerely,
> Konstantin
>
> On 23.03.2021 13:09, Konstantin Boyandin via CentOS wrote:
> > Hello,
> >
> > I joined a CentOS 8 box to an AD, using the below document as general
> > guide:
> >
> >
>
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory
>
> > (section 14.1)
> >
> > A problem: after I tried to log on via SSH (as an AD user) to the box,
> > the journalctl gets the below records:
> >
> > March 23 12:41:01 sandbox.lan sshd[2262]: pam_sss(sshd:auth):
> > authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=10.10.0.55 user=username
> > March 23 12:41:01 sandbox.lan sshd[2262]: pam_sss(sshd:account): Access
> > denied for user username: 4 (System error)
> > March 23 12:41:01 sandbox.lan sshd[2262]: Failed password for username
> > from 10.10.0.55 port 57610 ssh2
> > March 23 12:41:01 sandbox.lan sshd[2262]: fatal: Access denied for user
> > username by PAM account configuration [preauth]
> >
> > Quick and dirty fix:
> >
> > When I comment a line in /etc/pam.d/password-auth (the one commented
> > below), error goes away:
> > ======= /etc/pam.d/password-auth below
> > auth
>  required                                     pam_env.so
> > auth        required pam_faildelay.so delay=2000000
> > auth        [default=1 ignore=ignore success=ok]
>  pam_usertype.so
> > isregular
> > auth        [default=1 ignore=ignore success=ok] pam_localuser.so
> > auth
>  sufficient                                   pam_unix.so
> > nullok try_first_pass
> > auth        [default=1 ignore=ignore success=ok]
>  pam_usertype.so
> > isregular
> > auth
>  sufficient                                   pam_sss.so
> > forward_pass
> > auth
>  required                                     pam_deny.so
> >
> > account
>  required                                     pam_unix.so
> > account     sufficient pam_localuser.so
> > account
>  sufficient                                   pam_usertype.so
> > issystem
> > #account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> > account
>  required                                     pam_permit.so
> >
> > password    requisite pam_pwquality.so try_first_pass local_users_only
> > password
>  sufficient                                   pam_unix.so
> > sha512 shadow nullok try_first_pass use_authtok
> > password
>  sufficient                                   pam_sss.so
> > use_authtok
> > password
>  required                                     pam_deny.so
> >
> > session
>  optional                                     pam_keyinit.so
> > revoke
> > session
>  required                                     pam_limits.so
> > -session
>  optional                                     pam_systemd.so
> > session     optional pam_oddjob_mkhomedir.so umask=0077
> > session     [success=1 default=ignore] pam_succeed_if.so service in
> > crond quiet use_uid
> > session
>  required                                     pam_unix.so
> > session
>  optional                                     pam_sss.so
> > ======= /etc/pam.d/password-auth above
> >
> > If I understand correctly, the commented line means "account is invalid
> > by default; if found in SSSD, it's good; if not found - ignore and
> > proceed". Commenting it is not a good idea, but I can't figure out
> > what's wrong (according to first line from jornalctl authentication *is*
> > passed normally).
> >
> > Additional data (AD domain in this example is EXAMPLE.COM):
> >
> > $ realm list
> > realm list
> > example.com
> >   type: kerberos
> >   realm-name: EXAMPLE.COM
> >   domain-name: example.com
> >   configured: kerberos-member
> >   server-software: active-directory
> >   client-software: sssd
> >   required-package: oddjob
> >   required-package: oddjob-mkhomedir
> >   required-package: sssd
> >   required-package: adcli
> >   required-package: samba-common-tools
> >   login-formats: %U
> >   login-policy: allow-realm-logins
> >
> > $ cat /etc/sssd/sssd.conf
> > [sssd]
> > domains = example.com
> > config_file_version = 2
> > services = nss, pam, ssh
> > debug_level = 9
> >
> > [domain/example.com]
> > ad_domain = example.com
> > krb5_realm = EXAMPLE.COM
> > realmd_tags = manages-system joined-with-adcli
> > cache_credentials = True
> > id_provider = ad
> > krb5_store_password_if_offline = True
> > default_shell = /bin/bash
> > ldap_sasl_authid = SANDBOX$
> > ldap_id_mapping = True
> > use_fully_qualified_names = False
> > ad_gpo_ignore_unreadable = True
> > fallback_homedir = /home/%u
> > access_provider = ad
> > debug_level = 9
> > === end of /etc/sssd/sssd.conf
> >
> > $ cat /etc/krb5.conf
> > includedir /etc/krb5.conf.d/
> >
> > [logging]
> >     default = FILE:/var/log/krb5libs.log
> >     kdc = FILE:/var/log/krb5kdc.log
> >     admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> >     ticket_lifetime = 24h
> >     renew_lifetime = 7d
> >     forwardable = true
> >     rdns = false
> >     pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
> >     spake_preauth_groups = edwards25519
> >     default_ccache_name = KEYRING:persistent:%{uid}
> >     default_realm = EXAMPLE.COM
> >     dns_lookup_realm = false
> >     dns_lookup_kdc = true
> >
> >
> > [realms]
> >         EXAMPLE.COM = {
> >                 kdc = dc.example.com
> >                 kdc = bdc.example.com
> >                 admin_server = dc.example.com
> >         }
> >
> > [domain_realm]
> >         .example.com = EXAMPLE.COM
> >         example.com = EXAMPLE.COM
> > === end of /etc/krb5.conf
> >
> > GPO cache exists and is properly owned:
> > ls -al /var/lib/sss/gpo_cache/example.com/
> > total 0
> > drwx------. 3 sssd sssd 22 Mar 22 14:52 .
> > drwxr-xr-x. 3 sssd sssd 24 Mar 22 14:52 ..
> > drwx------. 3 sssd sssd 52 Mar 22 14:52 Policies
> >
> > I would appreciate pieces of advice on how to fix authentication issue
> > without commenting out the pam.d configuration file line.
> >
> > Thank you.
> >
> > Sincerely,
> > Konstantin
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>