sssd->AD authentication not working on 6.8

Posted on

I followed the instructions for authenticating RHEL 6 users to AD. I have been able to join the server to the domain and can run ldapsearch with positive results. I can also run kinit and obtain a ticket granting ticket. However, authenticating users fails.

Log files indicate different output. For instance, /var/log/sssd/ldap_child.log states

  (Tue Mar 21 12:07:58 2017) [[sssd[ldap_child[13426]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Preauthentication failed

and /var/log/secure states

  Mar 21 11:35:48 drfoak01 login: pam_unix(login:auth): check pass; user unknown
  Mar 21 11:35:48 drfoak01 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= 
  Mar 21 11:35:48 drfoak01 login: pam_succeed_if(login:auth): error retrieving information about user user
  Mar 21 11:35:50 drfoak01 login: FAILED LOGIN 1 FROM (null) FOR user, User not known to the underlying authentication module

Configurations are accurate:
sssd.conf:

[sssd]
config_file_version = 2
domains = domain.local
services = nss, pam, autofs, ssh

[domain/hph.local]
  id_provider = ad
  auth_provider = ad
  access_provider = ad
  chpass_provider = ad

  ldap_id_mapping = false

  [autofs]

krb5.conf

  [logging]
   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log

  [libdefaults]
   default_realm = DOMAIN.LOCAL
   dns_lookup_realm = true
   dns_lookup_kdc = true
   ticket_lifetime = 24h
   renew_lifetime = 7d
   rdns = false
   forwardable = true

  [realms]
  # DOMAIN.LOCAL = {
  #  kdc = kdc.domain.local
  #  admin_server = kdc.domain.local
  # }

  [domain_realm]
  # domain.local = DOMAIN.LOCAL
  # .domain.local = DOMAIN.LOCAL

and smb.conf:

  [global]
    workgroup = DOMAIN
    client signing = yes
    client use spnego = yes
    kerberos method = secrets and keytab
    log file = /var/log/samba/%m.log
    password server = kdc.domain.local
    realm = DOMAIN.LOCAL
    security = ads

  [homes]
    comment = Home Directories
    valid users = %S, %D%w%S
    browseable = No
    read_only = No
    inherit acls = Yes

This configuration mirrors that of a functioning RHEL 7, but is also pretty much the configuration defined by the document mentioned above for RHEL 6.

I know this question comes up a lot, but so far nothing I've read has solved the problem I'm encountering.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.