SSSD + SSH

vasgi · October 20, 2016, 11:47am

Hello,

I have done this a number of times, and it works but this time it doesn’t and i have no clue as to why.

I created a new installation and i used the winbindd (through YaST) to add the machine to the AD (2012R2).

Trying to login to SSH using a user from the AD didn’t work. So i decided to setup the Authentication client. Still doesn’t work.

Here is the error:


Postponed keyboard-interactive for invalid user example\user from ::1 port 39707 ssh2 [preauth]pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=example\user
pam_sss(sshd:auth): received for user clouda-vasileiosg: 10 (User not known to the underlying authentication module)
pam_winbind(sshd:auth): getting password (0x00000390)
pam_winbind(sshd:auth): pam_get_item returned a password
error: PAM: User not known to the underlying authentication module for illegal user example\user from localhost
Failed keyboard-interactive/pam for invalid user example\user from ::1 port 39707 ssh2
Postponed keyboard-interactive for invalid user example\user from ::1 port 39707 ssh2 [preauth]

i tried both ssh

example\\user@localhost

and

ssh user@localhost

Here is my smb.conf

[global]
        workgroup = CLOUD
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        kerberos method = secrets and keytab
        realm = EXAMPLE.COM
        security = ADS
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind offline logon = yes
        winbind refresh tickets = yes

and krb5.conf

[libdefaults]        clockskew = 300
       default_realm = EXAMPLE.COM


[realms]
       EXAMPLE.COM = {
                kdc = kerberos.example.com
                default_domain = example.com
               admin_server = kerberos.example.com
       }


[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[domain_realm]
        .cloud.local = EXAMPLE.COM
[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                minimum_uid = 1
        }

and finally sssd.conf

[sssd]config_file_version = 2
services = nss,pam,ssh
domains = example.com
[domain/example.com]
id_provider = ad
auth_provider = ad
enumerate = true
cache_credentials = true
ad_server = 69.69.69.69
access_provider = ad
chpass_provider = ad
cache_credentials = true
[nss]
filter_users = root
filter_groups = root
[pam]
[ssh]

Any ideas would be appreciated

knurpht · October 20, 2016, 12:17pm

And sshd is started at boot? Firewall port opened?

EDIT: forget this, first post output looks like it’s running. Something else must be going on.

vasgi · October 20, 2016, 3:10pm

OK I solved the issue and here is how:

I reinstalled the system by disabling the network connection
I enabled the network connection and added it to the domain
restarted and everything works!
did updates and everything still works.

I repeated the above steps with doing updates during the installation. The result was NOT to work again. I think there is a bug somewhere.

hangarbait · October 25, 2016, 4:58pm

Vasgi,
First, Glad you got it working .

I see you are using the AD providers, so your domain join is obviously working.

I would suggest the following tweaks to your /etc/sssd/sssd.conf:

[sssd]
config_file_version = 2

Unless you are using the SSSD SSH responder to cache public keys this responder is not required

The SSH daemon will use the SSSD NSS and PAM responders for SSH service authentication/authorisation

services = nss,pam

domains = example.com

[nss]
filter_users = root
filter_groups = root

[pam]

[ssh]

[domain/example.com]

Set enumeration to false

Unless you have a very small AD environment enumeration should be turned off

With enumeration on the daemon will try to cache all the users, groups and services it can see

enumerate = false
cache_credentials = true

id_provider = ad
auth_provider = ad

Not specifying any additional criteria this entry will only prevent expired and disabled accounts from logging in

access_provider = ad

chpass_provider = ad

Added the service location via SRV record as the primary option to locate a domain controller

The static server is left as a fall back

Functioning service location for the daemon is dependent on proper linux host and AD DNS configuration

ad_server = srv,69.69.69.69

Hope it helps!

– lawrence