On Sun, Feb 21, 2021 at 8:42 PM Kent West <we...@acu.edu> wrote: > > > On Sun, Feb 21, 2021 at 6:10 PM Tibz Loufok <thib...@gmail.com> wrote: > >> Hi, >> >> I suppose realmd configured sssd. >> > > Yes. > > You may need to authorize your users to login. (By using AD gpo or >> managing it locally). >> >> The parameter is access_provider. >> But you can also use realm command to allow locally some AD group. >> >> Also sssd has some logs. You can edit sssd.conf to modify the log level. >> >> Red hat has a good documentation on this subject and it was really >> helpfull for me as I had to integrate centos and Debian (from 8 to 10). (I >> configured access locally not by GPO) >> >> I may give you more precise information when I will be at work. >> >> > I appreciate the response, and look forward to more precise info, should > you be able to provide it. > > I've dug through quite a bit of Redhat documentation, but most of it is > still beyond me, especially since the specifics don't match Debian setups > > Also, about every other hit is behind a paywall, though. For example, just > now I searched for "access_provider", and the first hit I tried was a > Redhat link, and ran into a paywall. Arg. > > Again, thanks for the response! > > Digging a little deeper on "access_provider", it seems that's more related to general authentication into a system, rather than specifically to ssh working for a user. But, since I'm woefully green in this entire realm, I may be wrong.
-- Kent > Regards >> >> Le lun. 22 févr. 2021 à 00:09, Kent West <we...@acu.edu> a écrit : >> >>> Brand new Debian box (tried Buster, then when that didn;' work, upgraded >>> tp unstable - meh, it's a test box to get things sorted out before >>> production use). >>> >>> Minimal setup (unchecked everything in TaskSel step during install; >>> later used TaskSel to add X11/Mate). >>> >>> su'd to root >>> >>> apt install'd aptitude, realmd, packagekit >>> >>> (packagekit grabbed the needed dependencies, such as sssd and samba (at >>> least parts of them, and maybe part of KRB5 (the keytab thing-y), and >>> [mostly] configured them) >>> >>> Ran "realm join MY.DOMAIN -U my_add-to-domain_user" >>> >>> getent passwd domain_user successfully returns data on the domain user: >>> >>> acutech@21260-debianvm:~$ getent passwd glerp@my.domain >>> glerp@my.domain:*:495633057:495600513:glerp:/home/glerp@my.domain >>> :/bin/bash >>> >>> I can su to a domain user's account (from root, or from a local user, >>> using the domain user's password). I can also login as a domain user at the >>> console. The domain user does not have a home directory, so I ran >>> "pam-auth-config") and selected the option to auto-create a home dir. >>> >>> But the domain user can't log in via ssh (a local user can ssh in). >>> >>> techman@21260-debianvm:~$ ssh -l glerp@my.domain 21260-debianvm >>> glerp@my.domain@21260-debianvm's password: >>> Connection closed by 127.0.1.1 port 22 >>> >>> Here are a few relevant lines from /var/log/auth.log: >>> >>> Feb 21 17:04:54 21260-debianvm sshd[5284]: pam_unix(sshd:auth): >>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= >>> rhost=127.0.0.1 user=glerp@my.domain >>> Feb 21 17:04:54 21260-debianvm sshd[5284]: pam_sss(sshd:auth): >>> authentication success; logname= uid=0 euid=0 tty=ssh ruser= >>> rhost=127.0.0.1 user=glerp@my.domain >>> Feb 21 17:04:54 21260-debianvm sshd[5284]: pam_sss(sshd:account): Access >>> denied for user glerp@my.domain: 6 (Permission denied) >>> Feb 21 17:04:54 21260-debianvm sshd[5284]: Failed password for >>> glerp@my.domain from 127.0.0.1 port 59998 ssh2 >>> Feb 21 17:04:54 21260-debianvm sshd[5284]: fatal: Access denied for user >>> glerp@my.domain by PAM account configuration [preauth] >>> >>> I've pretty much exhausted my troubleshooting skills, and don't know >>> where to go from here. Any help would be appreciated. Thanks! >>> >>> >>> -- >>> Kent West <")))>< >>> Westing Peacefully - http://kentwest.blogspot.com >>> >> > > -- > Kent West <")))>< > Westing Peacefully - http://kentwest.blogspot.com > -- Kent West <")))>< Westing Peacefully - http://kentwest.blogspot.com
