Other AD User unable to login to RHEL 7.4 VM

Champ14 · 12-06-2018, 10:37 PM

Hi Experts,

Need your assistance on 2 of our newly built RHEL 7.4 Domain Joined VM's

I've tried to SSH to both systems using my AD Account admin.acct@domain.com, I can login to both systems without any issues, but when other AD users user2@domain.com SSH login to the both VM's they're getting access denied error, though I already included these users to the sudoers file on both VM's.

check the secure logs and noticed that its being authenticated only on pam_unix, instead of pam_sss which is the one being used for my account

Dec 7 04:13:06 RhelVM sshd[1849]: Invalid user user2@domain.com from 172.17.53.210 port 64873
Dec 7 04:13:06 RhelVM sshd[1849]: input_userauth_request: invalid user user2@domain.com [preauth]
Dec 7 04:13:09 RhelVM sshd[1849]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 04:13:09 RhelVM sshd[1849]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhelhost.domain.com
Dec 7 04:13:11 RhelVM sshd[1849]: Failed password for invalid user user2@domain.com from 172.17.53.210 port 64873 ssh2
Dec 7 04:14:58 RhelVM sshd[1856]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhelhost.domain.com user=admin.acct@domain.com
Dec 7 04:15:04 RhelVM sshd[1856]: Accepted password for admin.acct@domain.com from 172.17.53.210 port 64884 ssh2
Dec 7 04:15:04 RhelVM sshd[1856]: pam_unix(sshd:session): session opened for user admin.acct@domain.com by (uid=0)

Tried to also run realm deny -all, then followed by realm permit -all but still the same

[root@RhelVM ~]# realm list
domain.com
type: kerberos
realm-name: DOMAIN.COM
domain-name: domain.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@domain.com
login-policy: allow-realm-logins

SSD Service Status:

Redirecting to /bin/systemctl status -l sssd.service
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/sssd.service.d
└─journal.conf
Active: active (running) since Tue 2018-12-04 12:19:22 GMT; 2 days ago
Main PID: 6095 (sssd)
CGroup: /system.slice/sssd.service
├─6095 /usr/sbin/sssd -i -f
├─6096 /usr/libexec/sssd/sssd_be --domain domain.com --uid 0 --gid 0 --debug-to-files
├─6097 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
└─6098 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files

Dec 05 08:53:09RhelVM [sssd[ldap_child[15024]]][15024]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client's credentials have been revoked. Unable to create GSSAPI-encrypted LDAP connection.
Dec 05 08:53:09 RhelVM [sssd[ldap_child[15024]]][15024]: Client's credentials have been revoked
Dec 05 18:16:33 RhelVM [sssd[ldap_child[19184]]][19184]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client's credentials have been revoked. Unable to create GSSAPI-encrypted LDAP connection.

Need help and assistance, thanks!

TB0ne · 12-12-2018, 06:26 AM

Quote:

Originally Posted by Champ14

Hi Experts,
Need your assistance on 2 of our newly built RHEL 7.4 Domain Joined VM's I've tried to SSH to both systems using my AD Account admin.acct@domain.com, I can login to both systems without any issues, but when other AD users user2@domain.com SSH login to the both VM's they're getting access denied error, though I already included these users to the sudoers file on both VM's. check the secure logs and noticed that its being authenticated only on pam_unix, instead of pam_sss which is the one being used for my account

Code:

Dec  7 04:13:06 RhelVM sshd[1849]: Invalid user user2@domain.com from 172.17.53.210 port 64873
Dec  7 04:13:06 RhelVM sshd[1849]: input_userauth_request: invalid user user2@domain.com [preauth]
Dec  7 04:13:09 RhelVM sshd[1849]: pam_unix(sshd:auth): check pass; user unknown
Dec  7 04:13:09 RhelVM sshd[1849]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhelhost.domain.com
Dec  7 04:13:11 RhelVM sshd[1849]: Failed password for invalid user user2@domain.com from 172.17.53.210 port 64873 ssh2
Dec  7 04:14:58 RhelVM sshd[1856]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhelhost.domain.com user=admin.acct@domain.com
Dec  7 04:15:04 RhelVM sshd[1856]: Accepted password for admin.acct@domain.com from 172.17.53.210 port 64884 ssh2
Dec  7 04:15:04 RhelVM sshd[1856]: pam_unix(sshd:session): session opened for user admin.acct@domain.com by (uid=0)

Tried to also run realm deny -all, then followed by realm permit -all but still the same

Code:

[root@RhelVM ~]# realm list
domain.com
  type: kerberos
  realm-name: DOMAIN.COM
  domain-name: domain.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U@domain.com
  login-policy: allow-realm-logins

SSD Service Status:
Redirecting to /bin/systemctl status  -l sssd.service
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: active (running) since Tue 2018-12-04 12:19:22 GMT; 2 days ago
 Main PID: 6095 (sssd)
   CGroup: /system.slice/sssd.service
           ├─6095 /usr/sbin/sssd -i -f
           ├─6096 /usr/libexec/sssd/sssd_be --domain domain.com --uid 0 --gid 0 --debug-to-files
           ├─6097 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
           └─6098 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files

Dec 05 08:53:09RhelVM [sssd[ldap_child[15024]]][15024]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client's credentials have been revoked. Unable to create GSSAPI-encrypted LDAP connection.
Dec 05 08:53:09 RhelVM [sssd[ldap_child[15024]]][15024]: Client's credentials have been revoked
Dec 05 18:16:33 RhelVM [sssd[ldap_child[19184]]][19184]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client's credentials have been revoked. Unable to create GSSAPI-encrypted LDAP connection.

Need help and assistance, thanks!

Related to your other thread, where you say you can't even join your RHEL machines to AD?
https://www.linuxquestions.org/quest...in-4175644052/

Again, have you gone through the RHEL knowlegebase documentation you were given in your other thread? Contacted RHEL Support?

Champ14 · 12-12-2018, 09:25 PM

I can say now that this seems realated to my previous mail, Will close this now. Thank you