LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices


Reply
  Search this Thread
Old 12-06-2018, 11:37 PM   #1
Champ14
LQ Newbie
 
Registered: Nov 2018
Posts: 8

Rep: Reputation: Disabled
Other AD User unable to login to RHEL 7.4 VM


Hi Experts,

Need your assistance on 2 of our newly built RHEL 7.4 Domain Joined VM's

I've tried to SSH to both systems using my AD Account admin.acct@domain.com, I can login to both systems without any issues, but when other AD users user2@domain.com SSH login to the both VM's they're getting access denied error, though I already included these users to the sudoers file on both VM's.

check the secure logs and noticed that its being authenticated only on pam_unix, instead of pam_sss which is the one being used for my account




Dec 7 04:13:06 RhelVM sshd[1849]: Invalid user user2@domain.com from 172.17.53.210 port 64873
Dec 7 04:13:06 RhelVM sshd[1849]: input_userauth_request: invalid user user2@domain.com [preauth]
Dec 7 04:13:09 RhelVM sshd[1849]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 04:13:09 RhelVM sshd[1849]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhelhost.domain.com
Dec 7 04:13:11 RhelVM sshd[1849]: Failed password for invalid user user2@domain.com from 172.17.53.210 port 64873 ssh2
Dec 7 04:14:58 RhelVM sshd[1856]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhelhost.domain.com user=admin.acct@domain.com
Dec 7 04:15:04 RhelVM sshd[1856]: Accepted password for admin.acct@domain.com from 172.17.53.210 port 64884 ssh2
Dec 7 04:15:04 RhelVM sshd[1856]: pam_unix(sshd:session): session opened for user admin.acct@domain.com by (uid=0)




Tried to also run realm deny -all, then followed by realm permit -all but still the same



[root@RhelVM ~]# realm list
domain.com
type: kerberos
realm-name: DOMAIN.COM
domain-name: domain.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@domain.com
login-policy: allow-realm-logins


SSD Service Status:

Redirecting to /bin/systemctl status -l sssd.service
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/sssd.service.d
└─journal.conf
Active: active (running) since Tue 2018-12-04 12:19:22 GMT; 2 days ago
Main PID: 6095 (sssd)
CGroup: /system.slice/sssd.service
├─6095 /usr/sbin/sssd -i -f
├─6096 /usr/libexec/sssd/sssd_be --domain domain.com --uid 0 --gid 0 --debug-to-files
├─6097 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
└─6098 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files

Dec 05 08:53:09RhelVM [sssd[ldap_child[15024]]][15024]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client's credentials have been revoked. Unable to create GSSAPI-encrypted LDAP connection.
Dec 05 08:53:09 RhelVM [sssd[ldap_child[15024]]][15024]: Client's credentials have been revoked
Dec 05 18:16:33 RhelVM [sssd[ldap_child[19184]]][19184]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client's credentials have been revoked. Unable to create GSSAPI-encrypted LDAP connection.


Need help and assistance, thanks!

Last edited by Champ14; 12-07-2018 at 01:53 AM.
 
Old 12-12-2018, 07:26 AM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 20,818

Rep: Reputation: 5151Reputation: 5151Reputation: 5151Reputation: 5151Reputation: 5151Reputation: 5151Reputation: 5151Reputation: 5151Reputation: 5151Reputation: 5151Reputation: 5151
Quote:
Originally Posted by Champ14 View Post
Hi Experts,
Need your assistance on 2 of our newly built RHEL 7.4 Domain Joined VM's I've tried to SSH to both systems using my AD Account admin.acct@domain.com, I can login to both systems without any issues, but when other AD users user2@domain.com SSH login to the both VM's they're getting access denied error, though I already included these users to the sudoers file on both VM's. check the secure logs and noticed that its being authenticated only on pam_unix, instead of pam_sss which is the one being used for my account
Code:
Dec  7 04:13:06 RhelVM sshd[1849]: Invalid user user2@domain.com from 172.17.53.210 port 64873
Dec  7 04:13:06 RhelVM sshd[1849]: input_userauth_request: invalid user user2@domain.com [preauth]
Dec  7 04:13:09 RhelVM sshd[1849]: pam_unix(sshd:auth): check pass; user unknown
Dec  7 04:13:09 RhelVM sshd[1849]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhelhost.domain.com
Dec  7 04:13:11 RhelVM sshd[1849]: Failed password for invalid user user2@domain.com from 172.17.53.210 port 64873 ssh2
Dec  7 04:14:58 RhelVM sshd[1856]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhelhost.domain.com user=admin.acct@domain.com
Dec  7 04:15:04 RhelVM sshd[1856]: Accepted password for admin.acct@domain.com from 172.17.53.210 port 64884 ssh2
Dec  7 04:15:04 RhelVM sshd[1856]: pam_unix(sshd:session): session opened for user admin.acct@domain.com by (uid=0)
Tried to also run realm deny -all, then followed by realm permit -all but still the same
Code:
[root@RhelVM ~]# realm list
domain.com
  type: kerberos
  realm-name: DOMAIN.COM
  domain-name: domain.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U@domain.com
  login-policy: allow-realm-logins

SSD Service Status:
Redirecting to /bin/systemctl status  -l sssd.service
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: active (running) since Tue 2018-12-04 12:19:22 GMT; 2 days ago
 Main PID: 6095 (sssd)
   CGroup: /system.slice/sssd.service
           ├─6095 /usr/sbin/sssd -i -f
           ├─6096 /usr/libexec/sssd/sssd_be --domain domain.com --uid 0 --gid 0 --debug-to-files
           ├─6097 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
           └─6098 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files

Dec 05 08:53:09RhelVM [sssd[ldap_child[15024]]][15024]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client's credentials have been revoked. Unable to create GSSAPI-encrypted LDAP connection.
Dec 05 08:53:09 RhelVM [sssd[ldap_child[15024]]][15024]: Client's credentials have been revoked
Dec 05 18:16:33 RhelVM [sssd[ldap_child[19184]]][19184]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client's credentials have been revoked. Unable to create GSSAPI-encrypted LDAP connection.
Need help and assistance, thanks!
Related to your other thread, where you say you can't even join your RHEL machines to AD?
https://www.linuxquestions.org/quest...in-4175644052/

Again, have you gone through the RHEL knowlegebase documentation you were given in your other thread? Contacted RHEL Support?
 
Old 12-12-2018, 10:25 PM   #3
Champ14
LQ Newbie
 
Registered: Nov 2018
Posts: 8

Original Poster
Rep: Reputation: Disabled
I can say now that this seems realated to my previous mail, Will close this now. Thank you
 
  


Reply

Tags
login, rhel


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Unable to login to RHEL 6 with domain user rohit.dhaval1 Linux - Software 2 07-25-2017 05:55 PM
Unable to login root user on RHEL 7.0 sandeep002gupta Linux - Desktop 21 12-06-2014 12:00 PM
RHEL 6 - Upon GUI Login Present successful and unsucessful User Login johnmccarthy Linux - Newbie 2 07-24-2013 01:38 PM
unable to login as user other than root on RHEL 4 done some changes in etc /shawdow abhi_raj Linux - Newbie 1 07-18-2006 09:47 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat

All times are GMT -5. The time now is 02:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration