[Freeipa-users] AD users cannot log in: PAM permission denied

Alexander Bokovoy abokovoy at redhat.com
Wed Mar 18 18:56:43 UTC 2015 

On Wed, 18 Mar 2015, Guertin, David S. wrote:
>I've almost got AD integration going, except for the minor detail that no one can log in. When an AD user tries to SSH in to the IPA server, /var/log/secure shows:
>
>
>------------------------------------------
>
>Mar 18 13:59:08 genet sshd[21335]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=tundra.middlebury.edu  user=MIDD\guertin-s
>Mar 18 13:59:09 genet sshd[21335]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=tundra.middlebury.edu user=MIDD\guertin-s
>Mar 18 13:59:10 genet sshd[21335]: pam_sss(sshd:account): Access denied for user MIDD\guertin-s: 6 (Permission denied)
>Mar 18 13:59:10 genet sshd[21335]: Failed password for MIDD\\guertin-s from 140.233.6.66 port 59707 ssh2
>Mar 18 13:59:10 genet sshd[21335]: fatal: Access denied for user MIDD\\\\guertin-s by PAM account configuration [preauth]
>
>------------------------------------------
>
>
>So pam_sss is responding with "permission denied". 
pam_sss verifies your right to access a service by seeing if there is an
HBAC rule that allows it. HBAC rules are to allow what is denied by
default.

In standard FreeIPA setup we have 'allow_all' HBAC rule which roughly
states "anyone can access any service on any host". Did you disable this
rule?

If yes, then you have to have an explicit rules allowing access to
specific services. 

See examples in 'ipa trust' and 'ipa hbacrule'. Without arguments any
topic level command in IPA CLI prints a help, there are examples of use
of commands from those topics.

To create HBAC rules for AD users you first need to create a grouping
for them in IPA ('ipa trust' has explicit example how to do that) and
then define an HBAC rule to allow that POSIX group to access sshd
service.

HBAC services are PAM service names (i.e. /etc/pam.d/<name>).

>Everything looks normal here to me, until "[pam_dp_process_reply]
>(0x0100): received: [6]", after which the client disconnects. Can
>someone help with PAM configuration to get this to work?
>
>As described in the documentation, my ad_users group contains the group
>ad_users_external, which contains the AD group rhidm_users:
>
># ipa group-show ad_users
>  Group name: ad_users
>  Description: AD users
>  GID: 1447200005
>  Member groups: ad_users_external
>
># ipa group-show ad_users_external
>  Group name: ad_users_external
>  Description: AD users external map
>  Member of groups: ad_users
>  External member: rhidm_users at middlebury.edu?
Right, so you have ad_users group now and need to define an HBAC rule
allowing it an access to sshd service.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list