active directory fatal: Access denied for user by PAM account configuration

admin管理员组

文章数量:1647969

There is 8 Linux servers configed with SSSD for AD user login auth. Please find the sssd, pam system_auth, password_auth & sshd config file from the attached. But the issue is I can not use all AD user to ssh login server, here is AD user "jsun" for example. Linux local user login is fine. From journal log, I can see below error:

yum reinstall pam completed successfully. But AD user ssh connect to server still showing "Authentication failed". Nothing different.
Journal log is still showing the same error as below:
Dec 18 15:57:12 mertvd1 sshd[16839]: debug1: userauth-request for user shshe service ssh-connection method none [preauth]
Dec 18 15:57:12 mertvd1 sshd[16839]: debug1: attempt 0 failures 0 [preauth]
Dec 18 15:57:12 mertvd1 sshd[16839]: debug2: parse_server_config: config reprocess config len 767
Dec 18 15:57:12 mertvd1 sshd[16839]: debug2: monitor_read: 8 used once, disabling now
Dec 18 15:57:12 mertvd1 sshd[16839]: debug2: input_userauth_request: setting up authctxt for shshe [preauth]
Dec 18 15:57:12 mertvd1 sshd[16839]: debug2: input_userauth_request: try method none [preauth]
Dec 18 15:57:12 mertvd1 sshd[16839]: debug1: PAM: initializing for "shshe"
Dec 18 15:57:12 mertvd1 sshd[16839]: debug1: PAM: setting PAM_RHOST to "mkotst.internal"
Dec 18 15:57:12 mertvd1 sshd[16839]: debug1: PAM: setting PAM_TTY to "ssh"
Dec 18 15:57:12 mertvd1 sshd[16839]: debug2: monitor_read: 100 used once, disabling now
Dec 18 15:57:12 mertvd1 sshd[16839]: debug2: monitor_read: 4 used once, disabling now
Dec 18 15:57:12 mertvd1 sshd[16839]: debug2: monitor_read: 80 used once, disabling now
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: userauth-request for user shshe service ssh-connection method password [preauth]
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: attempt 1 failures 0 [preauth]
Dec 18 15:57:20 mertvd1 sshd[16839]: debug2: input_userauth_request: try method password [preauth]
Dec 18 15:57:20 mertvd1 sshd[16839]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=mkotst.internal user=shshe
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: PAM: password authentication accepted for shshe
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: do_pam_account: called
Dec 18 15:57:20 mertvd1 be[internal][30312]: Group Policy Container with DN [cn={70638449-FAE7-4C2F-9061-0D9BFBF28DB8},cn=policies,cn=system,DC=internal] is unreadable or has unreadable or m
Dec 18 15:57:20 mertvd1 be[internal][30312]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
Dec 18 15:57:20 mertvd1 sshd[16839]: Failed password for shshe from 10.175.120.49 port 56450 ssh2
Dec 18 15:57:20 mertvd1 sshd[16839]: fatal: Access denied for user shshe by PAM account configuration [preauth]
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: do_cleanup [preauth]
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: monitor_read_log: child log fd closed
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: do_cleanup
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: PAM: cleanup
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: Killing privsep child 16840

Resolution:

Command authconfig --updateall will work.

Actually, it is "account     required      pam_deny.so" wrongly configed. 

update to "account     required      pam_permit.so", also works

[root@mertvd1 ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_tally2.so deny=5
auth        required      pam_faildelay.so delay=2000000
auth    required pam_listfile.so item=user sense=deny file=/etc/security/users onerr=succeed
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_tally2.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_deny.so        #--->AD USER 被禁止登录

password    requisite     pam_pwquality.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 reject_username
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember=13
password    sufficient    pam_sss.so use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so






[root@mertvd1 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_tally2.so deny=5
auth        required      pam_faildelay.so delay=2000000
auth    required pam_listfile.so item=user sense=deny file=/etc/security/users onerr=succeed
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_tally2.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 reject_username
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember=13
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

本文标签： FATALAccessActivedirectorydenied