SSSD, PAM and STIG

Latest response

I have a STIG'd RHEL 7.4 that is giving me trouble with PAM and SSSD for Active Directory authentication. SELinux is configured and enforcing, but for the purposes of troubleshooting I have set it to permissive mode.

It was joined to the domain using realm, but when I attempt to SSH or log in with domain account I am getting permission denied

Permissions on krb5.conf, krb5.keytab and sssd.conf are set correctly. sssd.conf has NSS and PAM within the domain section of the config.

/var/log/secure says:

pam_succeed_if(sshd:auth): requirement "user in pgp" not met by user DOMAINUSER
Failed password for user DOMAINUSER from X.X.X.X 

I've triple checked it's not a password issue. Tried to run authconfig --enablesssdauth, made sure sss was in the /etc/nssswitch.conf.

Any ideas why I am getting the "permission denied" for authentication, and if this could have to do with PAM and SSSD?

Can't post all the logs now, but definitely can when I am back in office tomorrow.

Thank you!

Responses