I am building a RHEL8 instance and when installing openssl-devel and python36-devel I get the error > [sss_cache] [sysdb_domain_cache_connect] (0x0010): DB version too old > [0.23], expected [0.24] for domain implicit_files! > > Higher version of database is expected! In order to upgrade the > database, you must run SSSD. > > Removing cache files in /var/lib/sss/db should fix the issue, but note > that removing cache files will also remove all of your cached > credentials. I added *sss_cache -E* before the openssl-devel install step but that didn't help.. I also tried restarting the sssd service and the error still appears every time

I am having an issue that is only present since about April after updating packages. When I am accessing servers and use sudo su or sudo -s to access root and enter my password, I'll get: sudo: PAM account management error: Permission denied \ sudo: a password is required However, when I exit and restart the SSH session, it works fine. This a periodic issue and does not happen on all servers at the same time in my environment. I have noticed that the sssd service reports offline sometimes, but is back up and the log timings don't seem to match up with the events. I have turned on base level logging for sssd, but have not seen anything that is inherently apparent as the issue. Any insight would be welcomed. Updates: The failed login attempts trigger several PAM modules in sssd_pam.log and ends in this:

[pam] [pam_reply] (0x0200): [CID#9] blen: 24
[pam] [pam_reply] (0x0200): [CID#9] Returning : Permission denied to the client
[pam] [client_recv] (0x0200): [CID#9] Client disconnected!

A successful login attempt just triggers twice, SSS_PAM_PREAUTH and once SSS_PAM_AUTHENTICATE and results in this when using sudo:

[pam_reply] (0x0200): [CID#10] blen: 24
[pam] [pam_reply] (0x0200): [CID#10] Returning : Success to the client
[pam] [pam_cmd_acct_mgmt] (0x0100): [CID#10] entering pam_cmd_acct_mgmt

While speaking of PAM, worth noting that I have compared PAM configurations from lowers where this is occurring to PROD where it is not present and they are identical, the only change I found yesterday was a smartcard auth rpm file, which I deleted, but that, as expected, did not change this behavior. More updates: /var/log/secure shows that the same sudo:auth success message leads to two different results. The failed:

pam_sss(sudo:auth): authentication success; logname=xxxx uid=XXXX euid=0 tty=/dev/pts/0 ruser=xxxx rhost= user=xxxx
pam_sss(sudo:account): Access denied for user xxxx: 6 (Permission denied)

The success:

pam_sss(sudo:auth): authentication success; logname=xxxx uid=XXXX euid=0 tty=/dev/pts/0 ruser=xxxx rhost= user=xxxx
pam_unix(sudo:session): session opened for user root by xxxx(uid=xxxx)

I found a configuration difference that may prove useful - /etc/pam.d/systemd-user seems to have a line in non-effected environments that is not present in affected environments:

session  optional pam_keyinit.so force revoke

I'm not familiar with this configuration option so I'm doing some research on it and implementing it, once it's in place I'll try to replicate the issue, but after a session is restarted(in order to reach root to make the change) it can take a while to present. Latest Update: I found a line that, upon investigation, doesn't appear to indicate that it would cause this kind of behavior, but I have not been able to reproduce the error since removing this line from /etc/pam.d/login

session    optional     pam_console.so

Currently have a CentOS8 server AD integrated using SSSD + automatic SID->UID mapping/generation. I would like to setup some file shares to make use of AD groups, but am struggling to get it set up. Does anybody have an example config that does not make use of winbind? Currently have the following: [global] workgroup = security = ads realm = domain master = no local master = no preferred master = no client min protocol = SMB3 vfs objects = acl_xattr map acl inherit = yes log level = 5 idmap config * : backend = sss idmap config * : range = 10001-2000100000 kerberos method = secrets and keytab I'm not familiar with setting up Samba, so maybe some of those settings dont make sense/are superfluous? I get the following error when trying to start Samba: [2021/02/08 19:26:53.511544, 3] ../../source3/auth/token_util.c:788(finalize_local_nt_token) Failed to check for local Guests membership (NT_STATUS_INVALID_PARAMETER_MIX) [2021/02/08 19:26:53.511550, 0] ../../source3/auth/auth_util.c:1403(make_new_session_info_guest) create_local_token failed: NT_STATUS_INVALID_PARAMETER_MIX [2021/02/08 19:26:53.511603, 0] ../../source3/smbd/server.c:2052(main) ERROR: failed to setup guest info. Thank you

The Gnome Keyrings "Login" and "Default" are not unlocked automatically on my Linux Mint 22 machine. This is an LDAP user account and login goes throughg pam_sss.so (SSSD). The journal seems to indicate that pam_gnome_keyring.so does not receive the entered password (gkr-pam: no password is available for user), but I do not understand why:

$ sudo journalctl -b | egrep -i 'keyring|pam'
Okt 11 17:24:16 promoter lightdm: gkr-pam: gnome-keyring-daemon started properly
Okt 11 17:24:17 promoter lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "fritz"
Okt 11 17:24:22 promoter lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=fritz
Okt 11 17:24:22 promoter lightdm: gkr-pam: no password is available for user
Okt 11 17:24:22 promoter lightdm: pam_unix(lightdm:session): session opened for user fritz(uid=30108) by (uid=0)
Okt 11 17:24:22 promoter lightdm: gkr-pam: gnome-keyring-daemon started properly

Here's the (hopefully) relevant sections of my PAM auth config. I could provide more, but I don't think that common-account, common-session, and common-password are relevant to this question:

$ cat /etc/pam.d/lightdm
#%PAM-1.0
auth    requisite       pam_nologin.so
auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
-auth    optional        pam_gnome_keyring.so
-auth    optional        pam_kwallet.so
-auth    optional        pam_kwallet5.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
#session required        pam_loginuid.so
session required        pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-session optional        pam_gnome_keyring.so auto_start
-session optional        pam_kwallet.so auto_start
-session optional        pam_kwallet5.so auto_start
session required        pam_env.so readenv=1
session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-password

$ /etc/pam.d/cat common-auth 
# here are the per-package modules (the "Primary" block)
auth	[success=2 default=ignore]	pam_sss.so
auth	[success=1 default=ignore]	pam_unix.so nullok
# here's the fallback if no module succeeds
auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth	required	pam_ecryptfs.so unwrap
auth	optional			pam_cap.so 
# end of pam-auth-update config

###### Further observations: * The journal message gkr-pam: no password is available for user also appears when unlocking the screensaver from source cinnamon-screensaver-pam-helper.

I have a problem with my LDAP configuration on SUSE Linux Enterprise Server 12. As many of you know, the ldap.conf file has been replaced with sssd.conf and a couple of other conf files like nsswitch.conf. I want to have authentication through LDAP, picking users from a specific OU. I also need to get the definition for sudoers through LDAP. I have never worked with sssd before. My current NSS configuration looks as follows: passwd: files ldap shadow: files ldap group: files ldap hosts: files dns networks: files services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files nis publickey: files bootparams: files automount: files nis aliases: files passwd_compat: files group_compat: files sudoers: ldap files [I added this line] And here is my sssd.conf: [sssd] config_file_version = 2 services = nss, pam domains = ***** sbus_timeout = 30 [nss] filter_users = root filter_groups = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 [pam] [domain/GuH] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307bis ldap_user_object_class = posixAccount debug_level = 20 #access_provider = ldap ldap_uri = ldap://******.de ldap_search_base = o=*** create_homedir = truei ldap_tls_cacert = /etc/sssd/certs/*******.pem ldap_tls_cacertdir = /etc/sssd/certs ldap_id_use_start_tls = true ldap_default_bind_dn = cn=********,o=guh ldap_default_authtok_type = ******* ldap_default_authtok = ********* ldap_user_member_of = ********* ldap_group_name = cn=*******,ou=*******,ou=******,o=****** Just assume the * are put in correctly. Also, is there anything to do in a PAM config file? I have not seen anyone address it yet.

there. At first, it says the daemon couldn't find the /etc/sssd/sssd.conf. So, I created this and, when executing sssd "systemctl start sssd.service", it shows the following errors.

Jun 25 21:00:48 tmax1 sssd[nss]: Starting up
Jun 25 21:00:48 tmax1 sssd[nss]: Starting up
Jun 25 21:00:48 tmax1 sssd[pam]: Starting up
Jun 25 21:00:48 tmax1 sssd[pam]: Starting up
Jun 25 21:00:49 tmax1 sssd[be[DOMAIN.COM]]: Starting up
Jun 25 21:00:49 tmax1 sssd: Exiting the SSSD. Could not restart critical service [DOMAIN.COM].
Jun 25 21:00:49 tmax1 systemd: sssd.service: main process exited, code=exited, status=1/FAILURE
Jun 25 21:00:49 tmax1 systemd: Failed to start System Security Services Daemon.
Jun 25 21:00:49 tmax1 systemd: Unit sssd.service entered failed state.
Jun 25 21:00:49 tmax1 systemd: sssd.service failed.

Is there any other configuration file or something to check before running sssd? I can check the realm by "realm discover DOMAIN.COM". Ping is fine.

[test1@ ~]$ realm discover domain.com
domain.com
  type: kerberos
  realm-name: DOMAIN.COM
  domain-name: domain.com
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools

Sometimes, the "kinit" command doesn't work, but I can see the ticket by the "klist" only with the root account.

[test1@ ~]$ klist
klist: Credentials cache keyring 'persistent:1000:1000' not found

[root@ ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: administrator@DOMAIN.COM

Valid starting       Expires              Service principal
06/25/2018 17:08:47  06/26/2018 03:08:47  krbtgt/DOMAIN.COM@DOMAIN.COM
	renew until 07/02/2018 17:08:45

What do I do more to start sssd..? Thank you.

I can switch to the mentioned domain user with su command from the server, but ssh login is failing. The user domain group is already added in sssd.conf file under "simple_allow_groups" The errors in /var/log/secure appear as follows: Jan 18 04:10:18 m1-vlp0006 sshd: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=138.35.x.x user=postl\u522660 Jan 18 04:10:18 m1-vlp0006 sshd: pam_sss(sshd:account): Access denied for user postl\u522660: 6 (Permission denied) Jan 18 04:10:18 m1-vlp0006 sshd: Failed password for postl\\u522660 from 138.35.x.x port 57903 ssh2 Jan 18 04:10:18 m1-vlp0006 sshd: fatal: Access denied for user postl\\\\u522660 by PAM account configuration [preauth] Understood that , it says failed passwd. But in real it is not the case, I am able to login to other windows machine with that domain user successfully. Same credentials I am entering here as well. So my input credentials are correct, but not sure why it is showing like that. Further I can see a authentication success initially , but end up with access Denied. Is there any configuration missing to allow a particular AD user or group to permit login to this server, other than adding corresponding group of that user to "simple_allow_groups" configuration looks like below: [root@xxx.xxxx.xxx ~]# realm list --all POSTLl.xxxx.xxx type: kerberos realm-name: POSTL.xxxx.xxx domain-name: POSTL.xxxx.xxx configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@POSTL.xxxx.xxx login-policy: allow-permitted-logins permitted-logins: permitted-groups: gu-adm-infra-unix-systems, gu-adm-esm%unix, gu-adm-epicon, domain%users

I am curious if it is possible to use samba shares without using winbind. In our current environment we are using SSSD, Kerberos, and Samba to complete the required tasks such as joining the windows domain and setting up active directory. Since we are using SSSD instead of winbind how can we setup a samba share for the Windows machines to access using the current implementation? I can share some of the configuration as necessary. Using RedHat Enterprise 6 and Samba v 3.6.9

My RHEL servers are enabled with Active Directory authentication configured in the sssd.conf file. I have allowed few AD groups in sssd.conf to login to the Linux server. The issue is: I need to know how do I add this AD groups members in local group membership. I tried adding the AD group in /etc/group but that's not working: docker:x:332:user1,user2,**g-my-AD-user-group**

I'm forced (ugh) to join several linux machines to a domain. I'm currently using debian stable, and am joining the machines using a join script I wrote (at https://rbmj.github.io/join.sh for reference). The setup uses realm and sssd for all of the joining magic, and pam_mkhomedir to create home directories. Machines are debian stable. getent passwd $USER shows proper uid/gid and home directory set to /home/$DOMAIN/$USER as it should be. The problem is that on logon pam_mkhomedir.so is creating the home directory in the proper place (/home/$DOMAIN/$USER), but login tries to chdir() into /home/$USER. The workaround I'm currently using is symlinking /home/$DOMAIN to /home, which *is* an ugly symlink loop, but it gets the job done for now. Once I can figure this out migration should be fairly straightforward, as there's only one or two system accounts so I can move the rest via script. Since this is a recently installed debian stable machine, I think it's a systemd issue, as I believe the standard login daemon is replaced by systemd-logind or similar cruft. I think this is a bug somewhere, as login should try to change directory to whatever nsswitch indicates is the user's proper home directory, but I'm no expert.

For a test, I created a testing password policy for OpenLDAP 2.4, and when a user with an expired password logs in, they get a message like: > Your password has expired. You have 2 grace login(s) remaining. However the user was not able to change the password using passwd with sssd being the LDAP client. As it turned out, the number of grace logins after user log-in was only "one left", and that one was not enough to change the password; it seems that either passwd or sssd need **two** grace logins to change the password. However when using the classic (PAM) LDAP client, the user was able to change the password. Is that correct, and can anybody explain?

I have set up some RHEL9 servers to authenticate through the AD for the domain EXAMPLE.XYZ; this is done via Ansible playbooks, and so far all works well. (It's the same setup as this previous question: https://unix.stackexchange.com/questions/786569/joining-domain-via-ansible-returns-error-already-joined-to-this-domain-while-v) However, every few minutes, on each host (let's say on myhost42) there are bursts of error messages, several times per second, in /var/log/messages: Feb 19 15:23:32 myhost42 ldap_child: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'MYHOST42$@EXAMPLE.XYZ' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. This is the /etc/krb5.conf file: includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = true default_realm = EXAMPLE.XYZ default_ccache_name = KEYRING:persistent:%{uid} udp_preference_limit = 0 [realms] [domain_realm] What can be done to troubleshoot the issue? --- EDIT #1: Based on a comment below and my researches, it might be due to a missing association between the AD domain and the Kerberos realm and/or missing entries in the Kerberos keytab.
However, I'm using the same configuration as another server farm, which works correctly.
This is the output of klist -kt /etc/krb5.keytab: Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 3 02/25/2025 15:53:24 MYHOST42$@EXAMPLE.XYZ 3 02/25/2025 15:53:24 MYHOST42$@EXAMPLE.XYZ 3 02/25/2025 15:53:24 host/MYHOST42@EXAMPLE.XYZ 3 02/25/2025 15:53:24 host/MYHOST42@EXAMPLE.XYZ 3 02/25/2025 15:53:24 host/myhost42.EXAMPLE.XYZ@EXAMPLE.XYZ 3 02/25/2025 15:53:24 host/myhost42.EXAMPLE.XYZ@EXAMPLE.XYZ 3 02/25/2025 15:53:24 RestrictedKrbHost/MYHOST42@EXAMPLE.XYZ 3 02/25/2025 15:53:24 RestrictedKrbHost/MYHOST42@EXAMPLE.XYZ 3 02/25/2025 15:53:24 RestrictedKrbHost/myhost42.EXAMPLE.XYZ@EXAMPLE.XYZ 3 02/25/2025 15:53:24 RestrictedKrbHost/myhost42.EXAMPLE.XYZ@EXAMPLE.XYZ

I have an Ansible playbook that writes to /etc/sssd/sssd.conf this Jinja template (variables are defined somewhere else): # This line is just to check that the file is written correctly [sssd] domains = {{ domain }} config_file_version = 2 services = nss, pam [domain/{{ domain }}] id_provider = ad auth_provider = ad ad_domain = {{ domain }} ad_server = {{ ad_server }} krb5_realm = {{ domain | upper }} cache_credentials = true krb5_store_password_if_offline = true default_shell = /bin/bash ldap_id_mapping = true use_fully_qualified_names = false fallback_homedir = /home/EXAMPLE/%u access_provider = simple simple_allow_groups = {{ simple_allow_groups }} simple_allow_users = {{ simple_allow_users }} ignore_group_members = true enumerate = False ldap_purge_cache_timeout = 0 subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout Then the playbook restarts sssd, and does some realm leave and realm join operations. After running the playbook, this is the content of /etc/sssd/sssd.conf on the server: # This line is just to check that the file is written correctly [sssd] domains = example.abc config_file_version = 2 services = nss, pam [domain/example.abc] default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = EXAMPLE.ABC realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u@%d ad_domain = example.abc use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad What is changing /etc/sssd/sssd.conf, and how?

I'm looking to use SSSD to connect to Wifi WPA2 Enterprise (on Ubuntu 22.04). **Can nmcli (NetworkManager) use /etc/nsswitch.conf** to authenticate to Wifi without user action for on-site mode ? Thanks for your help

I have an Active Directory domain with Windows computers: when I join computer to AD, it gets computer account (computername$) and 802.1x group policy which says > Connect to SSID mySSID
> validate AAA server issuer certificate and it's FQDN,
> use PEAP\MSCHAPv2,
> use **computer** account for authentication Works good. How can I configure Ubuntu Linux Desktop computer, joined with sssd to same AD Domain, to authenticate to Wi-Fi same way?

When I switched on my laptop, I suddenly could not log in anymore. Everything was working fine until then, I was not messing with any settings. When I enter my password on the (gnome) login screen, the screen just reloads. I can log in on a tty console, but I get the error

Fedora Linux 36 (Thirty Six) Kernel 6.2,15-188.fc36.>86_64 on an >86_64 (tty2)

thinkpad login: ga325
Password: 
(mount.c:68): Messages from underlying mount program:
(mount.c:72): No free loop device 
(mount.c:72): (crypto-c:318): Error: no free loop devices 
(pam_mount.c:522): mount of /scratch/crypt/home-ga325.luks failed 
Last login: Wed Sep 11 28:41:31 on tty5
--- ga325: /scratch/users/ga325: change directory failed: Permission denied
Logging in with home = "/"
-bash: /scratch/users/ga325/.bash_profile: Permission denied

My home dir is shown as completely empty. The luks file still exists and is large (180GB). Debugging info: There are five loop devices that are all taken up by snap apps, see here: df -h: Furthermore, ls -l /var/lib/snapd/snaps shows five .snap files (corresponding to the loop devices) and that have all been touched last week. I snap installed and uninstalled Spotify last week, so this may have caused it. The following outputs may be helpful for debugging: cat /etc/fstab: journalctl -xe:

start job for unit session-2.scope has finished successfully.
The job identifier is 3128 
22:48:11 thinkpad login: pam_unix(login:session): session opened for user ga325(uid=217589) by LOGIN(uid=0) 
22:48:11 thinkpad login: pam_sss(login:session): Request to sssd failed. Conect ion refused 
22:48:11 thinkpad audit: AUC avc: denied ( getattr ) for pid=1795 com="login" path=" /run/mount/utab" dev="tr
22:48:11 thinkpad audit[17951: AUC avc: denied ( read ) for pid=1795 com="login" name="utab" dev="tmpfs" ino=696 s 
22:48:11 thinkpad audit: AUC avc: denied ( open ) for pid=1795 com="login" path="/run/mount /utab" dev="tmpf: 
22:48:11 thinkpad audit: AUC avc: denied ( execute ) for pid=1873 com="login" name="mount .crypt" dev="mmebi 
22:48:11 thinkpad audit: AUC avc: denied ( entrypoint ) for pid=1873 comm="login" path="/usr/sbin/mount .cryp 
22:48:11 thinkpad login[17951: (mount .c:68): Messages from underlying mount program: 
22:48:11 thinkpad login: (mount.c:72): No free loop device 
22:48:11 thinkpad login: (mount.c:72): (crypto.c:310): Error: no free loop devices 
22:48:11 thinkpad login: (pam_mount.c:522): mount of /scratch/crypt/home-ga325.luks failed 
22:48:11 thinkpad audit: USER_START pid=1795 uid=0 auid=217589 ses=2 sub,j=system_u:system_r: local_login_t:s8-s8 
22:48:11 thinkpad audit: CRED_REFR pid=1795 uid=0 auid=217589 ses=2 sub j=system_u:system_r: local_login_t:s8-s8: 
22:48:11 thinkpad audit: USER_LOGIN pid=1795 uid=0 auid=217589 ses=2 subj-system_u:system_r: local_login_t:s8-s8 
22:48:11 thinkpad login: LOGIN ON tty2 BY ga325
22:48:11 thinkpad setroubleshoot: SELinux is preventing gnome-shell from read access on the lnk_file /scratch/l

service sssd status: Questions: - Is this an sssd problem or a mounting problem? - How to debug/fix it? - Can I recover my data from just the luks file?

When trying to get an Ubuntu 22 joined to our AD domain via SSSD, I have encountered an odd situation where any AD user can login to the system without any password prompt and no ssh-key setup on the host. In the below example USER1 is a sanitized account name with no .ssh directory nor authorized_keys setup on the Ubuntu host. I believe this is a PAM configuration issue, but I am not sure what specifically in the PAM configs would need to be updated to force a password prompt. /etc/ssh/sshd_config includes: HostbasedAuthentication no IgnoreRhosts yes PermitEmptyPasswords no PasswordAuthentication yes ChallengeResponseAuthentication yes KerberosAuthentication no GSSAPIAuthentication no GSSAPICleanupCredentials no UsePAM yes AllowTcpForwarding yes X11Forwarding no PermitUserEnvironment no ClientAliveInterval 900 ClientAliveCountMax 0 UseDNS no MaxStartups 10:30:100 **SSHD debug log output** when USER1 logs into the host successfully without any password prompt on the client side. sshd: debug1: Forked child 158343. sshd: debug1: Set /proc/self/oom_score_adj to 0 sshd: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7 sshd: debug1: inetd sockets after dupping: 4, 4 sshd: Connection from 172.30.128.205 port 64416 on 10.63.129.197 port 22 rdomain "" sshd: debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.7 sshd: debug1: Remote protocol version 2.0, remote software version OpenSSH_9.7 sshd: debug1: compat_banner: match: OpenSSH_9.7 pat OpenSSH* compat 0x04000000 sshd: debug1: permanently_set_uid: 106/65534 [preauth] sshd: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] sshd: debug1: SSH2_MSG_KEXINIT sent [preauth] sshd: debug1: SSH2_MSG_KEXINIT received [preauth] sshd: debug1: kex: algorithm: curve25519-sha256@libssh.org [preauth] sshd: debug1: kex: host key algorithm: ssh-ed25519 [preauth] sshd: debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none [preauth] sshd: debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none [preauth] sshd: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] sshd: debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth] sshd: debug1: ssh_packet_send2_wrapped: resetting send seqnr 3 [preauth] sshd: debug1: rekey out after 134217728 blocks [preauth] sshd: debug1: SSH2_MSG_NEWKEYS sent [preauth] sshd: debug1: Sending SSH2_MSG_EXT_INFO [preauth] sshd: debug1: expecting SSH2_MSG_NEWKEYS [preauth] sshd: debug1: ssh_packet_read_poll2: resetting read seqnr 3 [preauth] sshd: debug1: SSH2_MSG_NEWKEYS received [preauth] sshd: debug1: rekey in after 134217728 blocks [preauth] sshd: debug1: KEX done [preauth] sshd: debug1: userauth-request for user USER1 service ssh-connection method none [preauth] sshd: debug1: attempt 0 failures 0 [preauth] sshd: debug1: PAM: initializing for "USER1" sshd: debug1: PAM: setting PAM_RHOST to "172.30.128.205" sshd: debug1: PAM: setting PAM_TTY to "ssh" sshd: debug1: userauth_send_banner: sent [preauth] sshd: debug1: userauth-request for user USER1 service ssh-connection method publickey [preauth] sshd: debug1: attempt 1 failures 0 [preauth] sshd: debug1: userauth_pubkey: publickey test pkalg rsa-sha2-512 pkblob RSA SHA256:IvAkAVaIAXzi48uZEHICHHUVZgYQ5QozSfi/YwvJeUM [preauth] sshd: debug1: temporarily_use_uid: 219435810/219400513 (e=0/0) sshd: debug1: trying public key file /home/USER1/.ssh/authorized_keys sshd: debug1: Could not open authorized keys '/home/USER1/.ssh/authorized_keys': No such file or directory sshd: debug1: restore_uid: 0/0 sshd: Failed publickey for USER1 from 172.30.128.205 port 64416 ssh2: RSA SHA256:IvAkAVaIAXzi48uZEHICHHUVZgYQ5QozSfi/YwvJeUM sshd: debug1: userauth-request for user USER1 service ssh-connection method keyboard-interactive [preauth] sshd: debug1: attempt 2 failures 1 [preauth] sshd: debug1: keyboard-interactive devs [preauth] sshd: debug1: auth2_challenge: user=USER1 devs= [preauth] sshd: debug1: kbdint_alloc: devices 'pam' [preauth] sshd: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] sshd: debug1: do_pam_account: called sshd: pam_access(sshd:account): cannot resolve hostname "cron" sshd: pam_access(sshd:account): cannot resolve hostname "crond" sshd: pam_faillock(sshd:account): Unknown option: unlock sshd: debug1: PAM: num PAM env strings 2 sshd: Postponed keyboard-interactive for USER1 from 172.30.128.205 port 64416 ssh2 [preauth] sshd: debug1: do_pam_account: called sshd: Accepted keyboard-interactive/pam for USER1 from 172.30.128.205 port 64416 ssh2 sshd: debug1: monitor_child_preauth: user USER1 authenticated by privileged process sshd: debug1: monitor_read_log: child log fd closed sshd: debug1: PAM: establishing credentials sshd: pam_unix(sshd:session): session opened for user USER1(uid=219435810) by (uid=0) systemd-logind: New session 2938 of user USER1. systemd: pam_faillock(systemd-user:account): Unknown option: unlock systemd: pam_unix(systemd-user:session): session opened for user USER1(uid=219435810) by (uid=0) sshd: User child is on pid 158357 sshd: debug1: SELinux support disabled sshd: debug1: PAM: establishing credentials sshd: debug1: permanently_set_uid: 219435810/219400513 sshd: debug1: rekey in after 134217728 blocks sshd: debug1: rekey out after 134217728 blocks sshd: debug1: ssh_packet_set_postauth: called sshd: debug1: active: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding sshd: debug1: Entering interactive session for SSH2. sshd: debug1: server_init_dispatch sshd: debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384 sshd: debug1: input_session_request sshd: debug1: channel 0: new [server-session] sshd: debug1: session_new: session 0 sshd: debug1: session_open: channel 0 sshd: debug1: session_open: session 0: link with channel 0 sshd: debug1: server_input_channel_open: confirm session sshd: debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0 sshd: debug1: server_input_channel_req: channel 0 request pty-req reply 1 sshd: debug1: session_by_channel: session 0 channel 0 sshd: debug1: session_input_channel_req: session 0 req pty-req sshd: debug1: Allocating pty. sshd: debug1: session_new: session 0 sshd: debug1: SELinux support disabled sshd: debug1: session_pty_req: session 0 alloc /dev/pts/5 sshd: debug1: Ignoring unsupported tty mode opcode 11 (0xb) sshd: debug1: Ignoring unsupported tty mode opcode 17 (0x11) sshd: debug1: server_input_channel_req: channel 0 request env reply 0 sshd: debug1: session_by_channel: session 0 channel 0 sshd: debug1: session_input_channel_req: session 0 req env sshd: debug1: server_input_channel_req: channel 0 request env reply 0 **SSSD.conf file contents:** [sssd] domains = my.domain.com config_file_version = 2 services = nss, pam override_space = _ #default_domain_suffix = my.domain.com domain_resolution_order = my.domain.com debug_level = 9 full_name_format=%1$s [nss] #cache_first = True [domain/my.domain.com] #default_shell = /bin/bash #krb5_store_password_if_offline = True #cache_credentials = True #krb5_realm = my.domain.com #realmd_tags = manages-system joined-with-adcli #id_provider = ad #fallback_homedir = /home/%u #ad_domain = my.domain.com use_fully_qualified_names = False ldap_id_mapping = True access_provider = ad default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = my.domain.com realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u ad_domain = my.domain.com ad_enabled_domains = my.domain.com ignore_group_members = True subdomain_inherit = ignore_group_members ldap_referrals = False dyndns_update = false ad_gpo_access_control = disabled dyndns_update_ptr = false ldap_opt_timeout = 20 ldap_network_timeout = 20 dns_resolver_timeout = 20 ad_use_ldaps = false **/etc/pam.d/sshd** # grep -v "#" /etc/pam.d/sshd @include common-auth account required pam_nologin.so account required pam_access.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session optional pam_keyinit.so force revoke @include common-session session required pam_limits.so session required pam_env.so user_readenv=1 envfile=/etc/default/locale session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open @include common-password **common-auth** auth [default=4 success=ok] pam_localuser.so auth [success=2 default=ignore] pam_unix.so nullok auth [success=1 default=ignore] pam_sss.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so **common-password** password [success=2 default=ignore] pam_unix.so obscure yescrypt password sufficient pam_sss.so use_authtok password requisite pam_deny.so password required pam_permit.so **common-account** account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so account requisite pam_deny.so account required pam_permit.so account sufficient pam_localuser.so account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_faillock.so

I am using both Red Hat and Ubuntu, but I'll start with Ubuntu (18.04.6). I want to authenticate with two KRB5 realms (not joined to AD); I'll call them REALM1 and REALM2. Some users are in REALM1, others are in REALM2. I configured krb5.conf and sssd.conf with both realms. You have to select a default realm in krb5.conf, so I picked REALM1 at random. If I use kinit, it will always check REALM1 but not REALM2. I guess I can live with that. I set up SSSD; it doesn't ask for a default realm. I can log in with a REALM1 username, but not a REALM2 username. Looking at logs, it looks like it only tries the first realm. I'd like a user to be able to just enter their username (without realm) and the system tries both realms. How can I configure this? Here's how my sssd.conf is set up:

`
[sssd]
    services = nss, pam
    domains = REALM1, REALM2

[domain/REALM2]
    id_provider = proxy
    proxy_lib_name=files
    auth_provider = krb5
    krb5_realm = REALM2
    krb5_validate = false
    krb5_server = kdc1address

[domain/REALM1]
    id_provider = proxy
    proxy_lib_name=files
    auth_provider = krb5
    krb5_realm = REALM1
    krb5_validate = false
    krb5_server = kdc2address
[pam]
offline_credentials_expiration = 1
pam_cert_auth = true

` And my krb5.conf

`
[libdefaults]
        default_realm = REALM1
        forwardable = true
        proxiable = true

[realms]
 REALM2 = {
  kdc = kdc1address
  admin_server = kdc1address
 }

 REALM1 = {
  kdc = kdc2address
  admin_server = kdc2address
 }

[domain_realm]
 .realm2 = REALM2
 realm2 = REALM2
 .realm1 = REALM1
 realm1 = REALM1

` One solution is to set pam_sss "domains" option to restrict to a single domain, then add an identical line for the second domain.

`
auth    sufficient      pam_sss.so domains=REALM1 forward_pass
auth    sufficient      pam_sss.so domains=REALM2 forward_pass

` This works on newer systems, but not on 18. I think my version of sssd (1.16.1) is too old. As a workaround, switching to pam_krb5 does work. However, the domains setting in sssd.conf seems like it's specifically designed to check multiple domains, so I don't understand why it doesn't work.

I have created an LDAP (OpenLDAP and LAM) server with a structure, I solved the remote configuration of using sudo. I configured the client stations (will be exclusively Linux Ubuntu) to use LDAP with SSSD and the connections are encrypted (ldaps). Now I need to resolve remote shared home directories for users that are created in the LDAP database. A sufficiently large disk with set appropriate quotas is connected to the server where the LDAP server is running. The user from the client PC logs into the system after successful authentication using LDAP and SSSD. At this point I would need to: - After logging in via SSSD and LDAP, the user gets access to his remote home directory (on the server where LDAP is running). - The remote directory will be automatically mounted to /home/user_name-from_LDAP after login. I have read several tutorials, how-to's and tried deploying Samba. However, many instructions are outdated, incomplete and often focus only on a certain part. I'm just a beginner in LDAP, Samba, Kerberos. With Samba, I read about a problem with connecting Samba-LDAP user databases, where maintaining and managing users is difficult. I ran into this problem when trying to configure and also failed to connect Samba to LDAPS with constant errors with TLS, while all test steps with ldapsearch and openssl went OK. I also read about the possibility of using Kerberos in addition to LDAP and Samba. Compatibility with Windows clients was also often addressed, which will not be my case. I'm honestly confused and I'm looking for the most efficient, easiest to manage, and easiest to implement solution with some clear instructions. So my question is: What alternative choose for using remote home directories please? So that LDAP is used, the user database is created in OpenLDAP and the client stations will be Linux Ubuntu operating systems with SSSD only. The goal is also to automatically mount remote home directories after client login. Thanks for all advices and guidance.

We have a CentOS 7.7 system which is joined to a Microsoft AD domain using realmd/sssd. Sudo does work perfectly fine for local system users, however when we attempt to use sudo as an Active Directory user (ocftest) we get the following error:

sudo: PAM account management error: Permission denied

We are using the following version of sudo: sudo-1.8.23-9.el7.x86_64.rpm The user can "ssh" perfectly fine to the system using their password. This issue comes up a few times after a bit of Googling, and commonly refers to adding the following to the "/etc/security/access.conf" file:

+ : ocftest : ALL
- : ALL : ALL

The users group with the same name (although I have tried the user) is present in the "/etc/sudoers.d/salt" file:

%ocftest@ad.domain.org ALL=(ALL) ALL

And just for completeness:

cat /etc/pam.d/sudo
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    include      system-auth

cat /etc/pam.d/sudo-i
#%PAM-1.0
auth       include      sudo
account    include      sudo
password   include      sudo
session    optional     pam_keyinit.so force revoke
session    include      sudo

cat /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    sufficient    pam_krb5.so use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
session     optional      pam_krb5.so

cat /etc/sssd/sssd.conf
[sssd]
domains = ad.domain.org
config_file_version = 2
services = nss, pam

[domain/ad.domain.org]
ad_domain = ad.domain.org
krb5_realm = AD.DOMAIN.ORG
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ignore_group_members = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
enumerate = True
dyndns_update = False
auto_private_groups = true
ad_access_filter = (&(memberOf=OU=Users,OU=REDACTED,DC=redacted,DC=org))

[pam]