Other AD User unable to login to RHEL 7.4 VM
Hi Experts,
Need your assistance on 2 of our newly built RHEL 7.4 Domain Joined VM's I've tried to SSH to both systems using my AD Account admin.acct@domain.com, I can login to both systems without any issues, but when other AD users user2@domain.com SSH login to the both VM's they're getting access denied error, though I already included these users to the sudoers file on both VM's. check the secure logs and noticed that its being authenticated only on pam_unix, instead of pam_sss which is the one being used for my account Dec 7 04:13:06 RhelVM sshd[1849]: Invalid user user2@domain.com from 172.17.53.210 port 64873 Dec 7 04:13:06 RhelVM sshd[1849]: input_userauth_request: invalid user user2@domain.com [preauth] Dec 7 04:13:09 RhelVM sshd[1849]: pam_unix(sshd:auth): check pass; user unknown Dec 7 04:13:09 RhelVM sshd[1849]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhelhost.domain.com Dec 7 04:13:11 RhelVM sshd[1849]: Failed password for invalid user user2@domain.com from 172.17.53.210 port 64873 ssh2 Dec 7 04:14:58 RhelVM sshd[1856]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhelhost.domain.com user=admin.acct@domain.com Dec 7 04:15:04 RhelVM sshd[1856]: Accepted password for admin.acct@domain.com from 172.17.53.210 port 64884 ssh2 Dec 7 04:15:04 RhelVM sshd[1856]: pam_unix(sshd:session): session opened for user admin.acct@domain.com by (uid=0) Tried to also run realm deny -all, then followed by realm permit -all but still the same [root@RhelVM ~]# realm list domain.com type: kerberos realm-name: DOMAIN.COM domain-name: domain.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@domain.com login-policy: allow-realm-logins SSD Service Status: Redirecting to /bin/systemctl status -l sssd.service ● sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/sssd.service.d └─journal.conf Active: active (running) since Tue 2018-12-04 12:19:22 GMT; 2 days ago Main PID: 6095 (sssd) CGroup: /system.slice/sssd.service ├─6095 /usr/sbin/sssd -i -f ├─6096 /usr/libexec/sssd/sssd_be --domain domain.com --uid 0 --gid 0 --debug-to-files ├─6097 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files └─6098 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files Dec 05 08:53:09RhelVM [sssd[ldap_child[15024]]][15024]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client's credentials have been revoked. Unable to create GSSAPI-encrypted LDAP connection. Dec 05 08:53:09 RhelVM [sssd[ldap_child[15024]]][15024]: Client's credentials have been revoked Dec 05 18:16:33 RhelVM [sssd[ldap_child[19184]]][19184]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client's credentials have been revoked. Unable to create GSSAPI-encrypted LDAP connection. Need help and assistance, thanks! |
Quote:
https://www.linuxquestions.org/quest...in-4175644052/ Again, have you gone through the RHEL knowlegebase documentation you were given in your other thread? Contacted RHEL Support? |
I can say now that this seems realated to my previous mail, Will close this now. Thank you
|
All times are GMT -5. The time now is 10:51 AM. |