On Mon, Feb 22, 2021 at 7:52 AM Nicholas Geovanis <nickgeova...@gmail.com> wrote:
> On Sun, Feb 21, 2021, 5:09 PM Kent West <we...@acu.edu> wrote: > > Brand new Debian box (tried Buster, then when that didn;' work, upgraded > tp unstable - meh, it's a test box to get things sorted out before > production use). > > Minimal setup (unchecked everything in TaskSel step during install; later > used TaskSel to add X11/Mate). > > su'd to root > > apt install'd aptitude, realmd, packagekit > > (packagekit grabbed the needed dependencies, such as sssd and samba (at > least parts of them, and maybe part of KRB5 (the keytab thing-y), and > [mostly] configured them) > > Ran "realm join MY.DOMAIN -U my_add-to-domain_user" > > getent passwd domain_user successfully returns data on the domain user: > > acutech@21260-debianvm:~$ getent passwd glerp@my.domain > glerp@my.domain:*:495633057:495600513:glerp:/home/glerp@my.domain > :/bin/bash > .... > > But the domain user can't log in via ssh (a local user can ssh in). > > techman@21260-debianvm:~$ ssh -l glerp@my.domain 21260-debianvm > glerp@my.domain@21260-debianvm's password: > Connection closed by 127.0.1.1 port 22 > > Here are a few relevant lines from /var/log/auth.log: > > Feb 21 17:04:54 21260-debianvm sshd[5284]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=127.0.0.1 user=glerp@my.domain > Feb 21 17:04:54 21260-debianvm sshd[5284]: pam_sss(sshd:auth): > authentication success; logname= uid=0 euid=0 tty=ssh ruser= > rhost=127.0.0.1 user=glerp@my.domain > Feb 21 17:04:54 21260-debianvm sshd[5284]: pam_sss(sshd:account): Access > denied for user glerp@my.domain: 6 (Permission denied) > Feb 21 17:04:54 21260-debianvm sshd[5284]: Failed password for > glerp@my.domain from 127.0.0.1 port 59998 ssh2 > Feb 21 17:04:54 21260-debianvm sshd[5284]: fatal: Access denied for user > glerp@my.domain by PAM account configuration [preauth] > > > So I think what this is telling you is that authentication succeeded for > the "auth" clause in the "sshd" section of the PAM config file (pam_sss). > But then authentication failed in the "account" clause of the sshd section. > > So the question is why there? > > As I'm trying to parse this log snippet, I take the line mentioning "pam_unix" to mean that "glerp" is not found in the normal *nix authentication files method (ie, "glerp" is not found in "/etc/passwd"). But the next line indicates that SSS does find "glerp" in its authentication method (ie, authentication via the domain). So "glerp" was not authenticated as a local user, but he was authenticated as a domain user. Then the next line says that although "glerp" has been authenticated as a domain user, "glerp" does not have authorization to ssh in, and then the next line says it's because the password is failing. But that doesn't make sense to me. -- Kent West <")))>< Westing Peacefully - http://kentwest.blogspot.com
