Red Hat Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

  • Comments

    • active directory fatal: Access denied for user by PAM account configuration

    Posted on

    I have several systems configured for Samba/Winbind (idmap_ad). One of these system has a very odd behavior where I am unable to ssh into the box using the AD authentication. Even though I can SU as that user while on the box.

    I get an error message of the following:

    fatal: Access denied for user by PAM account configuration

    This is after I get the following logging:

    Sep 1 22:09:55 informatica02 sshd[14165]: pam_sss(sshd:auth): Request to sssd failed. Connection refused
    Sep 1 22:09:55 informatica02 sshd[14165]: pam_winbind(sshd:auth): getting password (0x00000010)
    Sep 1 22:09:55 informatica02 sshd[14165]: pam_winbind(sshd:auth): pam_get_item returned a password
    Sep 1 22:09:55 informatica02 sshd[14165]: pam_winbind(sshd:auth): user 'DCI+kdonlan' granted access
    Sep 1 22:09:55 informatica02 sshd[14165]: pam_sss(sshd:account): Request to sssd failed. Connection refused
    Sep 1 22:09:55 informatica02 sshd[14165]: pam_winbind(sshd:account): user 'DCI+kdonlan' granted access
    Sep 1 22:09:55 informatica02 sshd[14166]: fatal: Access denied for user DCI+kdonlan by PAM account configuration
    Sep 1 22:09:55 informatica02 sshd[14165]: Failed password for DCI+kdonlan from ::1 port 58051 ssh2

    Winbind grants the user access then I get the fatal: error.

    The following is the ssh -vvv output:

    [root@informatica02 ssh]# ssh DCI+kdonlan@informatica02
    DCI+kdonlan@informatica02's password:
    Connection closed by ::1
    [root@informatica02 ssh]# ssh -vvv DCI+kdonlan@informatica02
    OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to informatica02 [::1] port 22.
    debug1: Connection established.
    debug1: permanently_set_uid: 0/0
    debug1: identity file /root/.ssh/identity type -1
    debug1: identity file /root/.ssh/id_rsa type -1
    debug1: identity file /root/.ssh/id_dsa type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
    debug1: match: OpenSSH_5.3 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.3
    debug2: fd 3 setting O_NONBLOCK
    debug1: SSH2_MSG_KEXINIT sent
    debug3: Wrote 792 bytes for a total of 813
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib@openssh.com
    debug2: kex_parse_kexinit: none,zlib@openssh.com
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: mac_setup: found hmac-md5
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug2: mac_setup: found hmac-md5
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug3: Wrote 24 bytes for a total of 837
    debug2: dh_gen_key: priv key bits set: 136/256
    debug2: bits set: 518/1024
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug3: Wrote 144 bytes for a total of 981
    debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
    debug3: check_host_in_hostfile: match line 1
    debug1: Host 'informatica02' is known and matches the RSA host key.
    debug1: Found key in /root/.ssh/known_hosts:1
    debug2: bits set: 508/1024
    debug1: ssh_rsa_verify: signature correct
    debug2: kex_derive_keys
    debug2: set_newkeys: mode 1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug3: Wrote 16 bytes for a total of 997
    debug2: set_newkeys: mode 0
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug3: Wrote 48 bytes for a total of 1045
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug2: key: /root/.ssh/identity ((nil))
    debug2: key: /root/.ssh/id_rsa ((nil))
    debug2: key: /root/.ssh/id_dsa ((nil))
    debug3: Wrote 80 bytes for a total of 1125
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
    debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
    debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
    debug3: authmethod_lookup gssapi-keyex
    debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
    debug3: authmethod_is_enabled gssapi-keyex
    debug1: Next authentication method: gssapi-keyex
    debug1: No valid Key exchange context
    debug2: we did not send a packet, disable method
    debug3: authmethod_lookup gssapi-with-mic
    debug3: remaining preferred: publickey,keyboard-interactive,password
    debug3: authmethod_is_enabled gssapi-with-mic
    debug1: Next authentication method: gssapi-with-mic
    debug3: Trying to reverse map address ::1.
    debug1: Unspecified GSS failure. Minor code may provide more information
    Credentials cache file '/tmp/krb5cc_0' not found

    debug1: Unspecified GSS failure. Minor code may provide more information
    Credentials cache file '/tmp/krb5cc_0' not found

    debug1: Unspecified GSS failure. Minor code may provide more information

    debug1: Unspecified GSS failure. Minor code may provide more information
    Credentials cache file '/tmp/krb5cc_0' not found

    debug2: we did not send a packet, disable method
    debug3: authmethod_lookup publickey
    debug3: remaining preferred: keyboard-interactive,password
    debug3: authmethod_is_enabled publickey
    debug1: Next authentication method: publickey
    debug1: Trying private key: /root/.ssh/identity
    debug3: no such identity: /root/.ssh/identity
    debug1: Trying private key: /root/.ssh/id_rsa
    debug3: no such identity: /root/.ssh/id_rsa
    debug1: Trying private key: /root/.ssh/id_dsa
    debug3: no such identity: /root/.ssh/id_dsa
    debug2: we did not send a packet, disable method
    debug3: authmethod_lookup password
    debug3: remaining preferred: ,password
    debug3: authmethod_is_enabled password
    debug1: Next authentication method: password
    DCI+kdonlan@informatica02's password:
    debug3: packet_send2: adding 48 (len 66 padlen 14 extra_pad 64)
    debug2: we sent a password packet, wait for reply
    debug3: Wrote 144 bytes for a total of 1269
    Connection closed by ::1
    [root@informatica02 ssh]#

    I am at my wits end as to why on this box unlike the other 4 or 5 boxes that I cannot login using SSH. All other boxes are fine with same OS and patch levels. I even did a recent yum update on all of the boxes.

    I have looked at the following files for a clue and compared them to the other 4 or 5 boxes:

    etc/ssh/sshd_config
    etc/pam.d/password-auth
    etc/pam.d/system-auth-ac

    They all seem to be configured correctly and I can SU as the user id so I know that authentication is being processed successfully.

    Any help would be most appreciated.

    by

    points

    Responses

    Red Hat LinkedIn YouTube Facebook X, formerly Twitter

    Quick Links

    Help

    Site Info

    Related Sites

    © 2025 Red Hat