On Mon, Feb 22, 2021, 1:47 PM Kent West <westk@acu.edu> wrote:On Mon, Feb 22, 2021 at 1:37 PM Kent West <westk@acu.edu> wrote:On Mon, Feb 22, 2021 at 7:52 AM Nicholas Geovanis <nickgeovanis@gmail.com> wrote:On Sun, Feb 21, 2021, 5:09 PM Kent West <westk@acu.edu> wrote:Brand new Debian box (tried Buster, then when that didn;' work, upgraded tp unstable - meh, it's a test box to get things sorted out before production use).....su'd to rootapt install'd aptitude, realmd, packagekit(packagekit grabbed the needed dependencies, such as sssd and samba (at least parts of them, and maybe part of KRB5 (the keytab thing-y), and [mostly] configured them)Ran "realm join MY.DOMAIN -U my_add-to-domain_user"getent passwd domain_user successfully returns data on the domain user:acutech@21260-debianvm:~$ getent passwd glerp@my.domain
glerp@my.domain:*:495633057:495600513:glerp:/home/glerp@my.domain:/bin/bash........Here are a few relevant lines from /var/log/auth.log:Feb 21 17:04:54 21260-debianvm sshd[5284]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=glerp@my.domain
Feb 21 17:04:54 21260-debianvm sshd[5284]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=glerp@my.domain
Feb 21 17:04:54 21260-debianvm sshd[5284]: pam_sss(sshd:account): Access denied for user glerp@my.domain: 6 (Permission denied)
Feb 21 17:04:54 21260-debianvm sshd[5284]: Failed password for glerp@my.domain from 127.0.0.1 port 59998 ssh2Feb 21 17:04:54 21260-debianvm sshd[5284]: fatal: Access denied for user glerp@my.domain by PAM account configuration [preauth]So I think what this is telling you is that authentication succeeded for the "auth" clause in the "sshd" section of the PAM config file (pam_sss). But then authentication failed in the "account" clause of the sshd section.So the question is why there?.....I built another virtual machine on another Debian box, following the same steps. That one worked.I compared all the files I could think of (/etc/pam.d/ files, /etc/nsswitch.conf, /etc/ssd/ssd_config, etc), and made them identical. Didn't help.I then rebuilt the offending machine, removed it from the domain, followed the same steps again, and now ... it works.Go figure.And having been on that merry-go-round myself more than once, Mr West☺....that usually means something bad happened in the initial Kerberos ticket granting process that happens at LDAP/AD initial config. First you need a ticket-granting-ticket from the LDAP or AD domain (the TGT). And then you need a session ticket for each kerberos session. Those sessions are usually much shorter than the lifetime of a single boot. So sometimes they need to be re-acquired outside of the boot process. And yes, nsswitch.conf is vital.There are folks on debian-user who understand it better than me. The first time I did that was on Solaris 8 however. Built LDAP, nss and AD interface code from source. No base config files except for PAM. Took a few tries but it worked. It's hard to shake out and you did it.West in pieces... ☺I would have loved to have found the problem, but more importantly for me, I now know the process works. For now, that's sufficient.
--Kent West <")))><
Westing Peacefully - http://kentwest.blogspot.com