AD users unable to login when simple_allow_groups set

Latest response

We have added RHEL 8.5 server(Hosted on AWS) to Microsoft AD (hosted On premise) using sssd. After Joining server to AD ,AD users are able to login when "simple_allow_users" parameter is applied however, unable to login when "simple_allow_groups" is set ( simple_allow_groups = xxxxxxx). Anyone has any idea on this?

Error message noticed "testadserver sshd[7656]: fatal: Access denied for user userabcd by PAM account configuration [preauth]" .

When we put password - first message it give authentication success "pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.xxxx.x.xxx.xxx%eth0 user=userabcd"

Then it closes the connection with below error log:

May 5 10:09:56 testadserver sshd[15784]: Failed password for userabcd from xxx.x.x.x.x.x.x port 51474 ssh2
May 5 10:09:56 testadserver sshd[15784]: fatal: Access denied for user userabcd by PAM account configuration [preauth]"

What we have tried in attempt to fix this?

  • Removed and rejoin server in AD
  • Tried with FQDN
  • Tried flipping the "use_fully_qualified_names" parameter in sssd.conf file with same results.
  • Checked by running "id username" which is part of the group that resolves correctly.
  • Cleared sssd cache files and restart the sssd service.
  • Checked from sshd config file to see if any user/group restrictions and there is no such one being set.

  • The team has checked the solution in this KB: https://access.redhat.com/solutions/2187581

  • Some log files:

ssh error after putting password - "userabcd@testadserver"
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
Connection closed by xx.x.xx.x..x.xeth0 port 22"

root@testadserver /]# tail -f /var/log/sssd/sssd.log
* (2022-05-05 10:08:02): [sssd] [sbus_issue_request_done] (0x0400): sssd.monitor.RegisterService: Success
* (2022-05-05 10:08:02): [sssd] [sbus_dispatch] (0x4000): Dispatching.
* (2022-05-05 10:08:06): [sssd] [services_startup_timeout] (0x0400): Handling timeout
* (2022-05-05 10:09:02): [sssd] [sbus_dispatch_reconnect] (0x0400): Connection lost. Terminating active requests.
* (2022-05-05 10:09:02): [sssd] [sbus_dispatch_reconnect] (0x4000): Remote client terminated the connection. Releasing data...
* (2022-05-05 10:09:02): [sssd] [sbus_connection_free] (0x4000): Connection 0x5603d2c85a90 will be freed during next loop!
* (2022-05-05 10:09:02): [sssd] [mt_svc_exit_handler] (0x1000): SIGCHLD handler of service xxx.x.xxx.xxx called
* (2022-05-05 10:09:02): [sssd] [svc_child_info] (0x0020): Child [15765] (xxx.x.xxxx.x.x.xxxx.xxx) was terminated byown WATCHDOG
********************** BACKTRACE DUMP ENDS HERE *********************************

root@testadserver /]# tail -f /var/log/secure
May 5 09:52:14 testadserver sshd[15589]: fatal: Access denied for user userabcd by PAM account configuration [preauth]
May 5 09:52:20 testadserver sudo[15629]: ssm-user : TTY=pts/1 ; PWD=/usr/bin ; USER=root ; COMMAND=/bin/bash
May 5 09:52:20 testadserver sudo[15629]: pam_unix(sudo-i:session): session opened for user root by (uid=0)
May 5 09:59:38 testadserver sshd[15701]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.xxxx.x.x.xxx%eth0 user=userabcd
May 5 10:00:56 testadserver sshd[15710]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.xxx.xx.xx user=userabcd
May 5 10:00:56 testadserver sshd[15710]: pam_sss(sshd:auth): received for user userabcd: 4 (System error)
May 5 10:00:58 testadserver sshd[15710]: Failed password for userabcd from xx.xxx.xx.xxx port 59328 ssh2
May 5 10:01:05 testadserver sshd[15701]: fatal: Access denied for user userabcd by PAM account configuration [preauth]
May 5 10:08:26 testadserver sshd[15784]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxxx.xxxx%eth0 user=userabcd
May 5 10:09:56 testadserver sshd[15784]: Failed password for userabcd from xxx.xxxx.xxxx.xxx%eth0 port 51474 ssh2
May 5 10:09:56 testadserver sshd[15784]: fatal: Access denied for user userabcd by PAM account configuration [preauth]

NOTE: IP Address and other system specific data has been masked.

Appreciate any help on this. Thanks!

Sadashiva Murthy M's picture

Responses