SSSD Crashing. Not able to Authenticate using AD

Support for security such as Firewalls and securing linux
Post Reply
amit.chahal
Posts: 2
Joined: 2018/09/03 07:37:01

SSSD Crashing. Not able to Authenticate using AD

Post by amit.chahal » 2018/09/05 05:12:11

Hello Everyone -

I am using CentOS 7.4, which was restored from a 4 day old snapshot in VMware. The servers authetication was setup using AD way.
Post restoration from snapshot, the AD authentication has crashed. Below is the work i have done so far to fix, but No luck:
===========
1. Had the AD objects deleted and recreated
2. Modified PAM setting on system-auth-local and password-auth-local as below:
- session optional pam_oddjob_mkhomedir.so
#session optional pam_mkhomedir.so
3 Tried reconfiguring AD setup again, which i managed to get done positively without any error.s Still auth dint work.
===========

Request you to please assist me sorting the access, Thanks.


Below are my configs :
===========

sssd.conf:

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam

domains = EXAMPLE.COM

[nss]
filter_groups = root, rg-xxxxx-xxx
filter_users = root, xs-xxxxx-xxx
reconnection_retries = 3
debug_level = 9

[pam]
reconnection_retries = 3
debug_level = 9

[domain/EXAMPLE.COM]
debug_level = 9
cache_credentials = False
ad_enable_gc = False
ad_maximum_machine_account_password_age = 0

id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad

ldap_referrals = false

# Default AD provider does ID mapping
ldap_id_mapping = true

ldap_search_base = DC=example,DC=com

ldap_user_search_base = DC=example,DC=com
ldap_user_object_class = user

ldap_group_search_base = DC=example,DC=com
ldap_group_object_class = group

ldap_access_filter = memberOf=CN=xxxxxxxxxxxx,OU=Groups-Privileged,OU=EXAMPLE_Groups,OU=EXAMPLE_Resources,DC=EXAMPLE,DC=com
ldap_access_filter = memberOf=CN=xxxxxxxxxxxx,OU=Groups-Privileged,OU=EXAMPLE_Groups,OU=EXAMPLE_Resources,DC=EXAMPLE,DC=com

override_shell = /bin/bash
default_shell = /bin/bash
fallback_homedir = /home/%d/%u



krb5.conf
=================
[root@SRLPUPDV01 ~]# cat /etc/krb5.conf
# Other applications require this directory to perform krb5 configuration.
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
MOPP.COM = {
kdc = MOPP.COM
admin_server = MOPP.COM
}

EXAMPLE.COM = {
kdc = EXAMPLE.COM
admin_server = EXAMPLE.COM
}

ZPSS.COM = {
kdc = ZPSS.COM
admin_server = ZPSS.COM
}

[domain_realm]
.mopp.COM = MOPP.COM
mopp.COM = MOPP.COM
.example.COM = EXAMPLE.COM
example.COM = EXAMPLE.COM
.zpss.COM = ZPSS.COM
zpss.COM = ZPSS.COM



/etc/pam.d/system-auth-local and password-auth-local
=====================================================
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faillock.so preauth audit silent deny=5 even_deny_root unlock_time=900 root_unlock_time=900
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_sss.so use_first_pass
auth [default=die] pam_faillock.so authfail audit deny=5 even_deny_root unlock_time=900 root_unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

account required pam_unix.so
account required pam_faillock.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=13
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
#session optional pam_mkhomedir.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

===========================================


LOGS:
========================

/var/log/secure:
================
Sep 5 14:16:06 ABCSERVER sshd[18186]: pam_unix(sshd:auth): check pass; user unknown
Sep 5 14:16:06 ABCSERVER sshd[18186]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.11.10.1
Sep 5 14:16:06 ABCSERVER sshd[18186]: pam_sss(sshd:auth): Request to sssd failed. Connection refused
Sep 5 14:16:06 ABCSERVER sshd[18186]: pam_faillock(sshd:auth): User unknown: EXAMPLE\xs-xxxxxxx-xxxx
Sep 5 14:16:06 ABCSERVER sshd[18187]: Invalid user EXAMPLE\\xs-xxxxxxx-xxxx from 10.11.10.1 port 58354
Sep 5 14:16:06 ABCSERVER sshd[18187]: input_userauth_request: invalid user EXAMPLE\\\\xs-xxxxxxx-xxxx [preauth]
Sep 5 14:16:06 ABCSERVER sshd[18187]: pam_faillock(sshd:auth): User unknown: EXAMPLE\xs-xxxxxxx-xxxx
Sep 5 14:16:06 ABCSERVER sshd[18187]: pam_unix(sshd:auth): check pass; user unknown
Sep 5 14:16:06 ABCSERVER sshd[18187]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.11.10.1
Sep 5 14:16:06 ABCSERVER sshd[18187]: pam_sss(sshd:auth): Request to sssd failed. Connection refused
Sep 5 14:16:06 ABCSERVER sshd[18187]: pam_faillock(sshd:auth): User unknown: EXAMPLE\xs-xxxxxxx-xxxx
Sep 5 14:16:08 ABCSERVER sshd[18186]: Failed password for invalid user EXAMPLE\\xs-xxxxxxx-xxxx from 10.11.10.1 port 58353 ssh2
Sep 5 14:16:08 ABCSERVER sshd[18186]: Connection closed by 10.11.10.1 port 58353 [preauth]
Sep 5 14:16:08 ABCSERVER sshd[18187]: Failed password for invalid user EXAMPLE\\xs-xxxxxxx-xxxx from 10.11.10.1 port 58354 ssh2
Sep 5 14:16:08 ABCSERVER sshd[18187]: Connection closed by 10.11.10.1 port 58354 [preauth]
Sep 5 14:16:09 ABCSERVER sshd[18191]: Invalid user EXAMPLE\\xs-xxxxxxx-xxxx from 10.11.10.1 port 58442
Sep 5 14:16:09 ABCSERVER sshd[18191]: input_userauth_request: invalid user EXAMPLE\\\\xs-xxxxxxx-xxxx [preauth]
Sep 5 14:16:09 ABCSERVER sshd[18191]: pam_faillock(sshd:auth): User unknown: EXAMPLE\xs-xxxxxxx-xxxx
Sep 5 14:16:09 ABCSERVER sshd[18191]: pam_unix(sshd:auth): check pass; user unknown
Sep 5 14:16:09 ABCSERVER sshd[18191]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.11.10.1
Sep 5 14:16:09 ABCSERVER sshd[18191]: pam_sss(sshd:auth): Request to sssd failed. Connection refused
Sep 5 14:16:09 ABCSERVER sshd[18191]: pam_faillock(sshd:auth): User unknown: EXAMPLE\xs-xxxxxxx-xxxx
Sep 5 14:16:09 ABCSERVER sshd[18190]: Invalid user EXAMPLE\\xs-xxxxxxx-xxxx from 10.11.10.1 port 58441
Sep 5 14:16:09 ABCSERVER sshd[18190]: input_userauth_request: invalid user EXAMPLE\\\\xs-xxxxxxx-xxxx [preauth]
Sep 5 14:16:09 ABCSERVER sshd[18190]: pam_faillock(sshd:auth): User unknown: EXAMPLE\xs-xxxxxxx-xxxx
Sep 5 14:16:09 ABCSERVER sshd[18190]: pam_unix(sshd:auth): check pass; user unknown
Sep 5 14:16:09 ABCSERVER sshd[18190]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.11.10.1
Sep 5 14:16:09 ABCSERVER sshd[18190]: pam_sss(sshd:auth): Request to sssd failed. Connection refused
Sep 5 14:16:09 ABCSERVER sshd[18190]: pam_faillock(sshd:auth): User unknown: EXAMPLE\xs-xxxxxxx-xxxx
Sep 5 14:16:11 ABCSERVER sshd[18191]: Failed password for invalid user EXAMPLE\\xs-xxxxxxx-xxxx from 10.11.10.1 port 58442 ssh2
Sep 5 14:16:11 ABCSERVER sshd[18190]: Failed password for invalid user EXAMPLE\\xs-xxxxxxx-xxxx from 10.11.10.1 port 58441 ssh2
Sep 5 14:16:11 ABCSERVER sshd[18191]: Connection closed by 10.11.10.1 port 58442 [preauth]
Sep 5 14:16:11 ABCSERVER sshd[18190]: Connection closed by 10.11.10.1 port 58441 [preauth]
Sep 5 14:16:11 ABCSERVER sshd[18195]: Invalid user EXAMPLE\\xs-xxxxxxx-xxxx from 10.11.10.1 port 58594
Sep 5 14:16:11 ABCSERVER sshd[18195]: input_userauth_request: invalid user EXAMPLE\\\\xs-xxxxxxx-xxxx [preauth]
Sep 5 14:16:12 ABCSERVER sshd[18195]: pam_faillock(sshd:auth): User unknown: EXAMPLE\xs-xxxxxxx-xxxx
Sep 5 14:16:12 ABCSERVER sshd[18195]: pam_unix(sshd:auth): check pass; user unknown
Sep 5 14:16:12 ABCSERVER sshd[18195]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.11.10.1
Sep 5 14:16:12 ABCSERVER sshd[18195]: pam_sss(sshd:auth): Request to sssd failed. Connection refused
Sep 5 14:16:12 ABCSERVER sshd[18195]: pam_faillock(sshd:auth): User unknown: EXAMPLE\xs-xxxxxxx-xxxx
Sep 5 14:16:12 ABCSERVER sshd[18196]: Invalid user EXAMPLE\\xs-xxxxxxx-xxxx from 10.11.10.1 port 58595
Sep 5 14:16:12 ABCSERVER sshd[18196]: input_userauth_request: invalid user EXAMPLE\\\\xs-xxxxxxx-xxxx [preauth]
Sep 5 14:16:12 ABCSERVER sshd[18196]: pam_faillock(sshd:auth): User unknown: EXAMPLE\xs-xxxxxxx-xxxx
Sep 5 14:16:12 ABCSERVER sshd[18196]: pam_unix(sshd:auth): check pass; user unknown
Sep 5 14:16:12 ABCSERVER sshd[18196]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.11.10.1
Sep 5 14:16:12 ABCSERVER sshd[18196]: pam_sss(sshd:auth): Request to sssd failed. Connection refused
Sep 5 14:16:12 ABCSERVER sshd[18196]: pam_faillock(sshd:auth): User unknown: EXAMPLE\xs-xxxxxxx-xxxx
Sep 5 14:16:14 ABCSERVER sshd[18196]: Failed password for invalid user EXAMPLE\\xs-xxxxxxx-xxxx from 10.11.10.1 port 58595 ssh2
Sep 5 14:16:14 ABCSERVER sshd[18196]: Connection closed by 10.11.10.1 port 58595 [preauth]
Sep 5 14:16:14 ABCSERVER sshd[18195]: Failed password for invalid user EXAMPLE\\xs-xxxxxxx-xxxx from 10.11.10.1 port 58594 ssh2
Sep 5 14:16:14 ABCSERVER sshd[18195]: Connection closed by 10.11.10.1 port 58594 [preauth]
Sep 5 14:16:15 ABCSERVER sshd[18199]: Invalid user EXAMPLE\\xs-xxxxxxx-xxxx from 10.11.10.1 port 59064
Sep 5 14:16:15 ABCSERVER sshd[18199]: input_userauth_request: invalid user EXAMPLE\\\\xs-xxxxxxx-xxxx [preauth]
Sep 5 14:16:15 ABCSERVER sshd[18199]: pam_faillock(sshd:auth): User unknown: EXAMPLE\xs-xxxxxxx-xxxx
Sep 5 14:16:15 ABCSERVER sshd[18199]: pam_unix(sshd:auth): check pass; user unknown
Sep 5 14:16:15 ABCSERVER sshd[18199]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.11.10.1
Sep 5 14:16:15 ABCSERVER sshd[18199]: pam_sss(sshd:auth): Request to sssd failed. Connection refused
Sep 5 14:16:15 ABCSERVER sshd[18199]: pam_faillock(sshd:auth): User unknown: EXAMPLE\xs-xxxxxxx-xxxx
Sep 5 14:16:17 ABCSERVER sshd[18199]: Failed password for invalid user EXAMPLE\\xs-xxxxxxx-xxxx from 10.11.10.1 port 59064 ssh2
Sep 5 14:16:17 ABCSERVER sshd[18199]: Connection closed by 10.11.10.1 port 59064 [preauth]




Thanks

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SSSD Crashing. Not able to Authenticate using AD

Post by hunter86_bg » 2018/09/06 20:03:33

Usually dealing with kerberos reminds me to check the time on the client.
Have you checked your date/time ? Are you in sync with AD controllers ?
Of course the fastest fix is to rejoin the machine ... but this is not always an option.

amit.chahal
Posts: 2
Joined: 2018/09/03 07:37:01

Re: SSSD Crashing. Not able to Authenticate using AD

Post by amit.chahal » 2018/09/07 03:22:43

Hello -

Thanks for the reply.
Yes, the time seems to be in sync on the Client and AD side.
However, i got the auth working by adding below parameter on sssd.conf:

use_fully_qualified_names = False

Thanks

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SSSD Crashing. Not able to Authenticate using AD

Post by hunter86_bg » 2018/09/07 04:46:26

So you used to login via:

Code: Select all

DOMAIN\\ADuser
And now you have to use only the username.

I'll try to get my configuration, despite the fact that our corp AD is a little bit crazy (domain and realm do not match :) ) and check the sssd conf.

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SSSD Crashing. Not able to Authenticate using AD

Post by hunter86_bg » 2018/09/07 04:47:24

By the way, have you tried ro restart a service or the whole machine, after the restore ?
Also, verify the resolver is one of the AD controllers.

Post Reply