Score:0

Unable to ssh to the server using SSSD credentials

cn flag

We are building a new Ubuntu server. Where the server is not accepting SSH connection with SSSD user credentials.

Below is the error we see on the server with the status of the SSSD

sssd.service - System Security Services Daemon
     Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2021-10-12 16:01:27 EDT; 1min 12s ago
   Main PID: 3056 (sssd)
      Tasks: 6 (limit: 4617)
     Memory: 50.9M
     CGroup: /system.slice/sssd.service
             ├─3056 /usr/sbin/sssd -i --logger=files
             ├─3077 /usr/libexec/sssd/sssd_be --domain FORDDIRECT.LOCAL --uid 0 --gid 0 --logger=files
             ├─3078 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
             ├─3079 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
             ├─3080 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --logger=files
             └─3081 /usr/libexec/sssd/sssd_autofs --uid 0 --gid 0 --logger=files

Oct 12 16:01:26 XXXXXXXXXXXXXXXXXXXXXXXX systemd[1]: Starting System Security Services Daemon...
Oct 12 16:01:26 XXXXXXXXXXXXXXXXXXXXXXXX sssd[3056]: Starting up
Oct 12 16:01:27 XXXXXXXXXXXXXXXXXXXXXXXX sssd_be[3077]: Starting up
Oct 12 16:01:27 XXXXXXXXXXXXXXXXXXXXXXXX sssd_pam[3079]: Starting up
Oct 12 16:01:27 XXXXXXXXXXXXXXXXXXXXXXXX sssd_autofs[3081]: Starting up
Oct 12 16:01:27 XXXXXXXXXXXXXXXXXXXXXXXX sssd_ssh[3080]: Starting up
Oct 12 16:01:27 XXXXXXXXXXXXXXXXXXXXXXXX sssd_nss[3078]: Starting up
Oct 12 16:01:27 XXXXXXXXXXXXXXXXXXXXXXXX systemd[1]: Started System Security Services Daemon.
Oct 12 16:02:34 XXXXXXXXXXXXXXXXXXXXXXXX sssd_be[3077]: Could not autodiscover AD site value using DNS and ad_site op>
Score:0
mu flag

Verify that DNS is setup correctly.

I have my domain controllers listed in the /etc/hosts file to verify that each client knows where to look for them.

# example of domain controllers in /etc/hosts
1.1.1.1 domaincontroller1.ad.example.com domaincontroller1
2.2.2.2 domaincontroller2.ad.example.com domaincontroller2
3.3.3.3 domaincontroller3.ad.example.com domaincontroller3
4.4.4.4 domaincontroller4.ad.example.com domaincontroller4

Also check /etc/resolv.conf or /etc/systemd/resolved.conf (Ubuntu 20.04) for DNS nameserver configuation.

# example of entries in /etc/resolv.conf or /etc/systemd/resolved.conf
nameserver <ip address>
nameserver 8.8.8.8
search ad.your.domain

After modifying /etc/systemd/resolved.conf, you will need to run:

systemctl restart resolvconf
resolvconf -u

On Ubuntu 20.04 you can also run systemd-resolve --status to view what DNS servers are configured.

Make sure that you have /etc/sssd/sssd.conf with permissions and owner set correctly.

# Permissions
-rw------- 1 root root 1.3K Dec 21 08:42 /etc/sssd/sssd.conf

If using realm to join the domain, your sssd config file only needs to have the following in it to join. Realm will automatically build out some of the other needed requirements in the sssd.conf file.

# Basic sssd.conf configurations
[sssd]
domains = 
config_file_version = 2
services = nss, pam
# example realm join command
realm join -U AdminAcct ad.example.com --computer-name="server1" --os-name="Ubuntu" --os-version="20.04" --computer-ou="CN=Computers,DC=ad,DC=example,DC=com" --automatic-id-mapping=no

After joining the domain with the above configuration, you can modify the sssd.conf file and then just run:

systemctl restart sssd.service && sss_cache -E
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.