We have a requirement to bind Red Hat to Active Directory for user authentication.

I have this working correctly under RHEL 7. I installed and configured sssd, joined a domain with REALM and everything is working perfectly.

In summary:

On RHEL 6, it's not quite working right. Users with local accounts (in /etc/passwd) can log in with their A/D credentials, but users in the same A/D group that do not have a local account get "Authentication failed."

Deleting sssd cache doesn't affect the problem.

I used this procedure:

https://access.redhat.com/solutions/2638981

Method 2 -- Using adcli with krb5 and sssd

Running this version of Red Hat:

cat /etc/redhat-release

Red Hat Enterprise Linux Server release 6.9 (Santiago)

I've installed all the required packages. krb5.conf looks like this:

#

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d

[realms]
MYDOMAIN.COM = {
kdc = mydomain.com
admin_server = domainserver.mydomain.com
default_domain = mydomain.com
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

#

sssd.conf looks as so:

#

[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam, sudo

[domain/mydomain]
ad_domain = mydomain.com
krb5_realm = MYDOMAIN.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
pam_account_locked_message = MYDOMAIN account locked, please contact help desk.
pam_account_expired_message = MYDOMAIN account expired, please contact help desk.
ad_access_filter = (memberOf=cn=unix_logins,ou=unix,dc=mydomain,dc=com)
auth_provider = ad
dyndns_update = False
dyndns_update_ptr = False

sudo_provider = ad

#

I used adcli to join the domain. I verified with kinit and klist that I was creating a ticket.

oddjobd is running

I executed this:

authconfig --enablesssd --enablesssdauth --update

authconfig --enablemkhomedir --update

Trying to ssh into the machine as a user in A/D group unix_logins fails with "Authentication failed".

Error message in /var/log/secure is: Access denied for user myuser by PAM account configuration

But I discovered accidentally that if the user has an entry in /etc/passwd and /etc/shadow, the user CAN log in with his A/D password. (Test by: set local password to password1, set A/D password to password2, observe that I can log in with password2, whereas trying to log in with password1 gives "Permission denied, please try again.")

When login is successful, in /var/log/secure I see:

[...] sshd[12901]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pdxdevops01.dat.com user=myuser

followed immediately by:

[...] sshd[12901]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=pdxdevops01.dat.com user=myuser

I think this is a great big hint, but I'm not sure what to do about it. It seems like it's trying to log in against /etc/passwd and when that fails, logs in successfully through sssd.

But if myuser does NOT have a /etc/passwd entry, authentication is not successful, despite the user having A/D credentials and correct A/D group membership.

Please, how do I fix this? For every A/D user to have a local account is not reasonable and should not be necessary.