“System Error” When Trying To Logon Via SSH To CentOS 8 Joined To AD

Home » General » “System Error” When Trying To Logon Via SSH To CentOS 8 Joined To AD
General 6 Comments

Hello,

I joined a CentOS 8 box to an AD, using the below document as general guide:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory
(section 14.1)

A problem: after I tried to log on via SSH (as an AD user) to the box, the journalctl gets the below records:

March 23 12:41:01 sandbox.lan sshd[2262]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruserrhost.10.0.55 user=username March 23 12:41:01 sandbox.lan sshd[2262]: pam_sss(sshd:account): Access denied for user username: 4 (System error)
March 23 12:41:01 sandbox.lan sshd[2262]: Failed password for username from 10.10.0.55 port 57610 ssh2
March 23 12:41:01 sandbox.lan sshd[2262]: fatal: Access denied for user username by PAM account configuration [preauth]

Quick and dirty fix:

When I comment a line in /etc/pam.d/password-auth (the one commented below), error goes away:
======= /etc/pam.d/password-auth below auth required pam_env.so auth required
pam_faildelay.so delay 00000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok]
pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so

account required pam_unix.so account sufficient
pam_localuser.so account sufficient pam_usertype.so issystem
#account [default

6 thoughts on - “System Error” When Trying To Logon Via SSH To CentOS 8 Joined To AD

  • Do I understand correctly that this problem
    – is too trivial
    – isn’t in fact CentOS-related
    – never happened to anyone else ?

    There are no good explanations as far as I see, to such PAM behavior. I
    would appreciate advice on where else to ask about this (the mentioned quick fix doesn’t look too good).

    Thanks.

    Sincerely, Konstantin

    required                                     pam_env.so pam_usertype.so sufficient                                   pam_unix.so pam_usertype.so sufficient                                   pam_sss.so required                                     pam_deny.so required                                     pam_unix.so sufficient                                   pam_usertype.so required                                     pam_permit.so sufficient                                   pam_unix.so sufficient                                   pam_sss.so required                                     pam_deny.so optional                                     pam_keyinit.so required                                     pam_limits.so optional                                     pam_systemd.so required                                     pam_unix.so optional                                     pam_sss.so

  • Hi Konstantin,

    Debugging login issues between SSD, PAM, and AD is not for the faint of heart. In my case I set up Samba 4.3 as a primary AD DC. I could login with Windows 10 guests but not C8.

    I just did the following.
    1. I spun up a fresh C8 VM, did not add any users, selected a graphical desktop.
    2. I added a new user into my AD domain (the one being served by Samba4)
    3. When my VM booted, the “first boot” screen appeared. As I went through the steps, when it prompted me to add a user, I clicked on “Configure Enterprise Login”
    4. The system automatically found my domain name. I entered the username/password I created.
    5. The system prompted for the Domain Admin password, which I entered it.
    6. After a few seconds. everything was set up, and I could SSH in to the box in question using the following (keeping in mind that capitalization is important, especially when it comes to AD domain names!):

    ssh -l joey@MY-DOMAIN.AS authtest-el8

    I was able to login using this procedure. You might try the same thing, and then compare your pam, sssd, and krb5 config files with the fresh VM
    and the VM you are trying to get working.

    -JK

  • How general? Can you describe what you’ve done that differed from the guide?

    Have you checked /var/log/audit/audit.log for AVCs during login? I
    suspect an SELinux error.

    Specifically, I thought that sssd defaults to KCM storage for kerberos credentials, not the kernel keyring. You might be seeing an SELinux deny due to non-default ccache storage.

  • Only if sssd-kcm is installed. Otherwise the keyring is default. I normally use the keyring on my systems. No selinux issues there.

  • “System error” generally means an error internally to sssd. I would turn up sssd debugging and check the sssd logs in /var/log/sssd. Also, you’ll probably get better support on the sssd list.

  • https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory

    Thanks for this and previous responses. I am trying to determine whether to look for further; as soon as I figure out where to look at, I could ask for more details (here, in sssd and/or Samba lists).


    Sincerely,

    Konstantin Boyandin system administrator (ProWide Labs Ltd. – IPHost Network Monitor)