sssd->AD authentication not working on 6.8

Latest response

I followed the instructions for authenticating RHEL 6 users to AD. I have been able to join the server to the domain and can run ldapsearch with positive results. I can also run kinit and obtain a ticket granting ticket. However, authenticating users fails.

Log files indicate different output. For instance, /var/log/sssd/ldap_child.log states

  (Tue Mar 21 12:07:58 2017) [[sssd[ldap_child[13426]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Preauthentication failed

and /var/log/secure states

  Mar 21 11:35:48 drfoak01 login: pam_unix(login:auth): check pass; user unknown
  Mar 21 11:35:48 drfoak01 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= 
  Mar 21 11:35:48 drfoak01 login: pam_succeed_if(login:auth): error retrieving information about user user
  Mar 21 11:35:50 drfoak01 login: FAILED LOGIN 1 FROM (null) FOR user, User not known to the underlying authentication module

Configurations are accurate:
sssd.conf:

[sssd]
config_file_version = 2
domains = domain.local
services = nss, pam, autofs, ssh

[domain/hph.local]
  id_provider = ad
  auth_provider = ad
  access_provider = ad
  chpass_provider = ad

  ldap_id_mapping = false

  [autofs]

krb5.conf

  [logging]
   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log

  [libdefaults]
   default_realm = DOMAIN.LOCAL
   dns_lookup_realm = true
   dns_lookup_kdc = true
   ticket_lifetime = 24h
   renew_lifetime = 7d
   rdns = false
   forwardable = true

  [realms]
  # DOMAIN.LOCAL = {
  #  kdc = kdc.domain.local
  #  admin_server = kdc.domain.local
  # }

  [domain_realm]
  # domain.local = DOMAIN.LOCAL
  # .domain.local = DOMAIN.LOCAL

and smb.conf:

  [global]
    workgroup = DOMAIN
    client signing = yes
    client use spnego = yes
    kerberos method = secrets and keytab
    log file = /var/log/samba/%m.log
    password server = kdc.domain.local
    realm = DOMAIN.LOCAL
    security = ads

  [homes]
    comment = Home Directories
    valid users = %S, %D%w%S
    browseable = No
    read_only = No
    inherit acls = Yes

This configuration mirrors that of a functioning RHEL 7, but is also pretty much the configuration defined by the document mentioned above for RHEL 6.

I know this question comes up a lot, but so far nothing I've read has solved the problem I'm encountering.

ES

Responses