RHEL7 and sssd: getent works but users cannot authenticate with passwords
In my situation, we used realm to install and configure sssd. Getent shows the domain users, and the groups are in /etc/ssh/sshd_config and /etc/sssd/sssd.conf. So why can my users not authenticate to the server?! I get this error:
May 01 13:53:43 lhostname sshd[22167]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=l982487.prod1.example.com user=bgstack15
May 01 13:53:44 lhostname sshd[22167]: Failed password for bgstack15 from 10.155.16.240 port 34340 ssh2
What eventually solved the problem was fixing /etc/pam.d/system-auth-ac and also /etc/pam.d/password-auth-ac. Either file by itself did not seem to help. It looks like authconfig may have messed up or was not used or something. I don't bother using it myself because I just modify pam myself. Yes, this makes me a terrible admin.
/etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200
auth sufficient pam_fprintd.so
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail deny=4 unlock_time=1200
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so minlen=16 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
/etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so minlen=16 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
auth required pam_faillock.so authfail deny=4 unlock_time=1200
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Comments