active directory fatal: Access denied for user by PAM account configuration

Latest response

I have several systems configured for Samba/Winbind (idmap_ad). One of these system has a very odd behavior where I am unable to ssh into the box using the AD authentication. Even though I can SU as that user while on the box.

I get an error message of the following:

fatal: Access denied for user by PAM account configuration

This is after I get the following logging:

Sep 1 22:09:55 informatica02 sshd[14165]: pam_sss(sshd:auth): Request to sssd failed. Connection refused
Sep 1 22:09:55 informatica02 sshd[14165]: pam_winbind(sshd:auth): getting password (0x00000010)
Sep 1 22:09:55 informatica02 sshd[14165]: pam_winbind(sshd:auth): pam_get_item returned a password
Sep 1 22:09:55 informatica02 sshd[14165]: pam_winbind(sshd:auth): user 'DCI+kdonlan' granted access
Sep 1 22:09:55 informatica02 sshd[14165]: pam_sss(sshd:account): Request to sssd failed. Connection refused
Sep 1 22:09:55 informatica02 sshd[14165]: pam_winbind(sshd:account): user 'DCI+kdonlan' granted access
Sep 1 22:09:55 informatica02 sshd[14166]: fatal: Access denied for user DCI+kdonlan by PAM account configuration
Sep 1 22:09:55 informatica02 sshd[14165]: Failed password for DCI+kdonlan from ::1 port 58051 ssh2

Winbind grants the user access then I get the fatal: error.

The following is the ssh -vvv output:

[root@informatica02 ssh]# ssh DCI+kdonlan@informatica02
DCI+kdonlan@informatica02's password:
Connection closed by ::1
[root@informatica02 ssh]# ssh -vvv DCI+kdonlan@informatica02
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to informatica02 [::1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 792 bytes for a total of 813
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 837
debug2: dh_gen_key: priv key bits set: 136/256
debug2: bits set: 518/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 981
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'informatica02' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug2: bits set: 508/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 997
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1045
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug3: Wrote 80 bytes for a total of 1125
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address ::1.
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure. Minor code may provide more information

debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
DCI+kdonlan@informatica02's password:
debug3: packet_send2: adding 48 (len 66 padlen 14 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug3: Wrote 144 bytes for a total of 1269
Connection closed by ::1
[root@informatica02 ssh]#

I am at my wits end as to why on this box unlike the other 4 or 5 boxes that I cannot login using SSH. All other boxes are fine with same OS and patch levels. I even did a recent yum update on all of the boxes.

I have looked at the following files for a clue and compared them to the other 4 or 5 boxes:

etc/ssh/sshd_config
etc/pam.d/password-auth
etc/pam.d/system-auth-ac

They all seem to be configured correctly and I can SU as the user id so I know that authentication is being processed successfully.

Any help would be most appreciated.

Responses

Try first isolate the problem.

-disable selinux if this one is enabled
-disable firewall
-check the status of sshd is running or not
-try again you test

if with this the test work try
-enabled selinux and try again if not working well possible is a selinux issue
-enabled firewall is with this is not working please check you firewall configuration

disabling SELINUX had no affect
the firewall is disabled
sshd is running and answering to other local users. this appears to be a pam winbind authentication problem.

I turned on DEBUG level 3 in the sshd and the following is the log from a tested authentication:

Sep 2 12:01:08 informatica02 sshd[2834]: debug3: fd 5 is not O_NONBLOCK
Sep 2 12:01:08 informatica02 sshd[2834]: debug1: Forked child 2850.
Sep 2 12:01:08 informatica02 sshd[2834]: debug3: send_rexec_state: entering fd = 8 config len 623
Sep 2 12:01:08 informatica02 sshd[2834]: debug3: ssh_msg_send: type 0
Sep 2 12:01:08 informatica02 sshd[2834]: debug3: send_rexec_state: done
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: oom_adjust_restore
Sep 2 12:01:08 informatica02 sshd[2850]: Set /proc/self/oom_score_adj to 0
Sep 2 12:01:08 informatica02 sshd[2850]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Sep 2 12:01:08 informatica02 sshd[2850]: debug1: inetd sockets after dupping: 3, 3
Sep 2 12:01:08 informatica02 sshd[2850]: Connection from ::1 port 62327
Sep 2 12:01:08 informatica02 sshd[2850]: debug1: Client protocol version 2.0; client software version OpenSSH_5
.3
Sep 2 12:01:08 informatica02 sshd[2850]: debug1: match: OpenSSH_5.3 pat OpenSSH*
Sep 2 12:01:08 informatica02 sshd[2850]: debug1: Enabling compatibility mode for protocol 2.0
Sep 2 12:01:08 informatica02 sshd[2850]: debug1: Local version string SSH-2.0-OpenSSH_5.3
Sep 2 12:01:08 informatica02 sshd[2850]: debug2: fd 3 setting O_NONBLOCK
Sep 2 12:01:08 informatica02 sshd[2850]: debug2: Network child is on pid 2851
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: preauth child monitor started
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_request_receive entering
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: privsep user:group 74:74
Sep 2 12:01:08 informatica02 sshd[2851]: debug1: permanently_set_uid: 74/74
Sep 2 12:01:08 informatica02 sshd[2851]: debug1: list_hostkey_types: ssh-rsa,ssh-dss
Sep 2 12:01:08 informatica02 sshd[2851]: debug1: SSH2_MSG_KEXINIT sent
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: Wrote 784 bytes for a total of 805
Sep 2 12:01:08 informatica02 sshd[2851]: debug1: SSH2_MSG_KEXINIT received
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie
-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256
,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.
se
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256
,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.
se
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac
-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac
-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: none,zlib@openssh.com
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: none,zlib@openssh.com
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit:
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit:
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: first_kex_follows 0
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: reserved 0
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie
-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256
,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.
se
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256
,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.
se
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac
-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac
-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit:
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit:
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: first_kex_follows 0
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_parse_kexinit: reserved 0
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: mac_setup: found hmac-md5
Sep 2 12:01:08 informatica02 sshd[2851]: debug1: kex: client->server aes128-ctr hmac-md5 none
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_send entering: type 78
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: monitor_read: checking request 78
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_request_send entering: type 79
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_request_receive entering
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_receive_expect entering: type 79
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_receive entering
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: mac_setup: found hmac-md5
Sep 2 12:01:08 informatica02 sshd[2851]: debug1: kex: server->client aes128-ctr hmac-md5 none
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_send entering: type 78
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: monitor_read: checking request 78
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_request_send entering: type 79
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_request_receive entering
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_receive_expect entering: type 79
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_receive entering
Sep 2 12:01:08 informatica02 sshd[2851]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_send entering: type 0
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: monitor_read: checking request 0
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_answer_moduli: got parameters: 1024 1024 8192
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_request_send entering: type 1
Sep 2 12:01:08 informatica02 sshd[2850]: debug2: monitor_read: 0 used once, disabling now
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_request_receive entering
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_receive_expect entering: type 1
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_receive entering
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_choose_dh: remaining 0
Sep 2 12:01:08 informatica02 sshd[2851]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: Wrote 152 bytes for a total of 957
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: dh_gen_key: priv key bits set: 127/256
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: bits set: 517/1024
Sep 2 12:01:08 informatica02 sshd[2851]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: bits set: 518/1024
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_key_sign entering
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_send entering: type 5
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: monitor_read: checking request 5
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_answer_sign
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_receive_expect entering: type 6
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_receive entering
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_answer_sign: signature 0x7fa74bb021b0(271)
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_request_send entering: type 6
Sep 2 12:01:08 informatica02 sshd[2851]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: kex_derive_keys
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: set_newkeys: mode 1
Sep 2 12:01:08 informatica02 sshd[2851]: debug1: SSH2_MSG_NEWKEYS sent
Sep 2 12:01:08 informatica02 sshd[2851]: debug1: expecting SSH2_MSG_NEWKEYS
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: Wrote 720 bytes for a total of 1677
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: set_newkeys: mode 0
Sep 2 12:01:08 informatica02 sshd[2851]: debug1: SSH2_MSG_NEWKEYS received
Sep 2 12:01:08 informatica02 sshd[2851]: debug1: KEX done
Sep 2 12:01:08 informatica02 sshd[2850]: debug2: monitor_read: 5 used once, disabling now
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_request_receive entering
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: Wrote 48 bytes for a total of 1725
Sep 2 12:01:08 informatica02 sshd[2851]: debug1: userauth-request for user DCI+tdampier service ssh-connection
method none
Sep 2 12:01:08 informatica02 sshd[2851]: debug1: attempt 0 failures 0
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_getpwnamallow entering
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_send entering: type 7
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_receive_expect entering: type 8
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_receive entering
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: monitor_read: checking request 7
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_answer_pwnamallow
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: Trying to reverse map address ::1.
Sep 2 12:01:08 informatica02 sshd[2850]: debug2: parse_server_config: config reprocess config len 623
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_request_send entering: type 8
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: input_userauth_request: setting up authctxt for DCI+tdampier
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_start_pam entering
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_send entering: type 50
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_inform_authserv entering
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_send entering: type 3
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_inform_authrole entering
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: mm_request_send entering: type 4
Sep 2 12:01:08 informatica02 sshd[2851]: debug2: input_userauth_request: try method none
Sep 2 12:01:08 informatica02 sshd[2851]: debug3: Wrote 80 bytes for a total of 1805
Sep 2 12:01:08 informatica02 sshd[2850]: debug2: monitor_read: 7 used once, disabling now
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_request_receive entering
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: monitor_read: checking request 50
Sep 2 12:01:08 informatica02 sshd[2850]: debug1: PAM: initializing for "DCI+tdampier"
Sep 2 12:01:08 informatica02 sshd[2850]: debug1: PAM: setting PAM_RHOST to "informatica02.dev.dci.local"
Sep 2 12:01:08 informatica02 sshd[2850]: debug1: PAM: setting PAM_TTY to "ssh"
Sep 2 12:01:08 informatica02 sshd[2850]: debug2: monitor_read: 50 used once, disabling now
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_request_receive entering
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: monitor_read: checking request 3
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_answer_authserv: service=ssh-connection, style=
Sep 2 12:01:08 informatica02 sshd[2850]: debug2: monitor_read: 3 used once, disabling now
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_request_receive entering
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: monitor_read: checking request 4
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_answer_authrole: role=
Sep 2 12:01:08 informatica02 sshd[2850]: debug2: monitor_read: 4 used once, disabling now
Sep 2 12:01:08 informatica02 sshd[2850]: debug3: mm_request_receive entering
Sep 2 12:01:12 informatica02 sshd[2851]: debug1: userauth-request for user DCI+tdampier service ssh-connection
method password
Sep 2 12:01:12 informatica02 sshd[2851]: debug1: attempt 1 failures 0
Sep 2 12:01:12 informatica02 sshd[2851]: debug2: input_userauth_request: try method password
Sep 2 12:01:12 informatica02 sshd[2851]: debug3: mm_auth_password entering
Sep 2 12:01:12 informatica02 sshd[2851]: debug3: mm_request_send entering: type 11
Sep 2 12:01:12 informatica02 sshd[2851]: debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
Sep 2 12:01:12 informatica02 sshd[2851]: debug3: mm_request_receive_expect entering: type 12
Sep 2 12:01:12 informatica02 sshd[2851]: debug3: mm_request_receive entering
Sep 2 12:01:12 informatica02 sshd[2850]: debug3: monitor_read: checking request 11
Sep 2 12:01:12 informatica02 sshd[2850]: debug1: temporarily_use_uid: 16777217/16777222 (e=0/0)
Sep 2 12:01:12 informatica02 sshd[2850]: debug1: restore_uid: 0/0
Sep 2 12:01:12 informatica02 sshd[2850]: debug1: Kerberos password authentication failed: Client not found in K
erberos database
Sep 2 12:01:12 informatica02 sshd[2850]: debug1: krb5_cleanup_proc called
Sep 2 12:01:12 informatica02 sshd[2850]: debug3: PAM: sshpam_passwd_conv called with 1 messages
Sep 2 12:01:12 informatica02 sshd[2850]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty
=ssh ruser= rhost=informatica02.dev.dci.local user=DCI+tdampier
Sep 2 12:01:12 informatica02 sshd[2850]: pam_sss(sshd:auth): Request to sssd failed. Connection refused
Sep 2 12:01:12 informatica02 sshd[2850]: pam_winbind(sshd:auth): getting password (0x00000010)
Sep 2 12:01:12 informatica02 sshd[2850]: pam_winbind(sshd:auth): pam_get_item returned a password
Sep 2 12:01:12 informatica02 sshd[2850]: pam_winbind(sshd:auth): user 'DCI+tdampier' granted access
Sep 2 12:01:12 informatica02 sshd[2850]: debug1: PAM: password authentication accepted for DCI+tdampier
Sep 2 12:01:12 informatica02 sshd[2850]: debug3: mm_answer_authpassword: sending result 1
Sep 2 12:01:12 informatica02 sshd[2850]: debug3: mm_request_send entering: type 12
Sep 2 12:01:12 informatica02 sshd[2851]: debug3: mm_auth_password: user authenticated
Sep 2 12:01:12 informatica02 sshd[2851]: debug3: mm_do_pam_account entering
Sep 2 12:01:12 informatica02 sshd[2851]: debug3: mm_request_send entering: type 51
Sep 2 12:01:12 informatica02 sshd[2851]: debug3: mm_request_receive_expect entering: type 52
Sep 2 12:01:12 informatica02 sshd[2851]: debug3: mm_request_receive entering
Sep 2 12:01:12 informatica02 sshd[2850]: debug3: mm_request_receive_expect entering: type 51
Sep 2 12:01:12 informatica02 sshd[2850]: debug3: mm_request_receive entering
Sep 2 12:01:12 informatica02 sshd[2850]: debug1: do_pam_account: called
Sep 2 12:01:12 informatica02 sshd[2850]: pam_sss(sshd:account): Request to sssd failed. Connection refused
Sep 2 12:01:12 informatica02 sshd[2850]: pam_winbind(sshd:account): user 'DCI+tdampier' granted access
Sep 2 12:01:12 informatica02 sshd[2850]: debug3: PAM: do_pam_account pam_acct_mgmt = 9 (Authentication service
cannot retrieve authentication info)
Sep 2 12:01:12 informatica02 sshd[2850]: debug3: mm_request_send entering: type 52
Sep 2 12:01:12 informatica02 sshd[2851]: debug3: mm_do_pam_account returning 0
Sep 2 12:01:12 informatica02 sshd[2851]: fatal: Access denied for user DCI+tdampier by PAM account configuratio
n
Sep 2 12:01:12 informatica02 sshd[2851]: debug1: do_cleanup
Sep 2 12:01:12 informatica02 sshd[2851]: debug3: PAM: sshpam_thread_cleanup entering
Sep 2 12:01:12 informatica02 sshd[2851]: debug3: mm_request_send entering: type 80
Sep 2 12:01:12 informatica02 sshd[2851]: debug3: mm_request_receive_expect entering: type 81
Sep 2 12:01:12 informatica02 sshd[2851]: debug3: mm_request_receive entering
Sep 2 12:01:12 informatica02 sshd[2850]: Failed password for DCI+tdampier from ::1 port 62327 ssh2
Sep 2 12:01:12 informatica02 sshd[2850]: debug3: mm_request_receive entering
Sep 2 12:01:12 informatica02 sshd[2850]: debug3: monitor_read: checking request 80
Sep 2 12:01:12 informatica02 sshd[2850]: debug3: mm_request_send entering: type 81
Sep 2 12:01:12 informatica02 sshd[2850]: debug3: mm_request_receive entering
Sep 2 12:01:12 informatica02 sshd[2850]: debug1: do_cleanup
Sep 2 12:01:12 informatica02 sshd[2850]: debug1: PAM: cleanup
Sep 2 12:01:12 informatica02 sshd[2850]: debug3: PAM: sshpam_thread_cleanup entering

as you can see by these lines:

Sep 2 12:01:12 informatica02 sshd[2850]: pam_winbind(sshd:account): user 'DCI+tdampier' granted access
Sep 2 12:01:12 informatica02 sshd[2850]: debug3: PAM: do_pam_account pam_acct_mgmt = 9 (Authentication service
cannot retrieve authentication info)

The user is granted access by pam_winbind but then Pam seems to not be able to retrieve the authentication information.

I can reproduce this issue now on two boxes.

Thanks for the help - anything else that I can be looking at?

Try this
Remove pam_krb5 from /etc/pam.d/system-auth and /etc/pam.d/password-auth. When winbind is used , pam_winbind is sufficient enough to authenticate AD user.

Removal of these entries in /etc/pam.d/system-auth worked for me.

session optional pam_sss.so
password sufficient pam_sss.so use_authtok
auth sufficient pam_sss.so use_first_pass

Yes. its working fine after removing the lines from /etc/pam.d/system-auth and /etc/pam.d/password-auth file. and we restart the sshd service.

Hi..
I am having similar issue...working with Redhat Identity Management...I have configured server and client working fine using ipa commands...The issue i am having is the user that created by using ipa user-add command is not able to loging to both server using ssh.
The error " Connection closed by both servers IP addresses". I have removed
session optional pam_sss.so
password sufficient pam_sss.so use_authtok
auth sufficient pam_sss.so use_first_pass
from /etc/pam.d/system-auth still does not work for me

any help will be appropriated...thanks in advanced.

some time checking the /etc/shadow file also helps

If you haven't figured it out yet, try running authconfig --update or authconfig --updateall

That's what worked for me. All of the other suggestions/solutions didn't work in my case.

The authconfig --updateall worked for me as well. I changed different settings on pam.d and other files, nothing seemed to work until I read and applied the posting before this. Thanks Johnathan Bodily.

check /var/log/secure i restarted sssd which fixed it for me