Join Log in
Score:0
YaserMow avatar Ubuntu

Some Azure Active Directory users are not able to login to Ubuntu Machines

cn flag
YaserMow

Some AD Users are not able to access Ubuntu machine in the domain, the error after trying to access the server via ssh I get in /var/log/auth.log:

    Jun 14 11:50:36 SR sshd[1467842]: Invalid user UserName from 192.168.40.45 port 49378
Jun 14 11:50:37 SR sshd[1467842]: Connection reset by invalid user UserName 192.168.40.45 port 49378 [preauth]
Jun 14 11:50:45 SR sshd[1467955]: Invalid user UserName from 192.168.40.45 port 49379
Jun 14 11:50:50 SR sshd[1467955]: pam_unix(sshd:auth): check pass; user unknown
Jun 14 11:50:50 SR sshd[1467955]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.40.45
Jun 14 11:50:50 SR sshd[1467955]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.40.45 user=UserName
Jun 14 11:50:50 SR sshd[1467955]: pam_sss(sshd:auth): received for user UserName: 10 (User not known to the underlying authentication module)
Jun 14 11:50:52 SR sshd[1467955]: Failed password for invalid user UserName from 192.168.40.45 port 49379 ssh2

It works for other users, but this specific user has joined recently and he can't access the Machine. Also changed the ldap_idmap_range(min/max and size), to check if the issue was with ID Mapping, but it did not work out. Even if the user tries to login via GUI, they get the following error: enter image description here

I also tried to login through some other users ssh sessions with su - UserName, but still I can't it gives back the error: su: user UserName does not exist Below is sssd config file:

[sssd]
domains = "dn"
config_file_version = 2
services = nss, pam

[domain/"dn"]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = "DN"
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = "dn"
# use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
ad_gpo_access_control = permissive

these are content of log files in /var/log/sssd /var/log/sssd/sssd_Domain-Name.log.1:

(Date) [be[mydomain.com]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(Date) [be[mydomain.com]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(Date) [be[mydomain.com]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(Date) [be[mydomain.com]] [orderly_shutdown] (0x0010): SIGTERM: killing children

and sssd.log:

(Date) [sssd] [service_signal_done] (0x0010): Unable to signal service [2]: No such file or directory
(Date) [sssd] [service_signal_done] (0x0010): Unable to signal service [2]: No such file or directory
(Date) [sssd] [service_signal_done] (0x0010): Unable to signal service [2]: No such file or directory

and basically nothing else, primary log files are empty This is what I get for sssd status:

 sssd.service - System Security Services Daemon
     Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2023-06-17 06:45:14 CEST; 3 days ago
   Main PID: 3371613 (sssd)
      Tasks: 4 (limit: 77003)
     Memory: 45.5M
     CGroup: /system.slice/sssd.service
             ├─3371613 /usr/sbin/sssd -i --logger=files
             ├─3371615 /usr/libexec/sssd/sssd_be --domain mydomain.com --uid 0 --gid 0 --logger=files
             ├─3371616 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
             └─3371617 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files

Date MyServer sssd_be[3371615]: Backend is online
Date MyServer sssd[816515]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may>
Date MyServer sssd[816515]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may>
Date MyServer adcli[816513]: GSSAPI client step 1
Date MyServer adcli[816513]: GSSAPI client step 1
Date MyServer adcli[816513]: GSSAPI client step 1
Date MyServer sssd[816519]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may>
Date MyServer sssd[816519]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may>
Date MyServer sssd[816524]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may>
Date MyServer sssd_be[3371615]: Backend is offline
163
1 + 9
ssh
Marco avatar
br flag
Marco
Is there some "exotic" character in the username? Could you add the "sssd config" to the question?
0
Reply
YaserMow avatar
cn flag
YaserMow
No there are no such characters in the username
0
Reply
Marco avatar
br flag
Marco
With `sssd` I had often some problems with the cache. Have you tried `sss_cache -E` (see `man sss_cache`)? Any messages in `/var/log/sssd` which might help finding the problem?
0
Reply
YaserMow avatar
cn flag
YaserMow
I deleted the cache in `/var/lib/sssd/db` and then restarted the sssd service, but still the same issue
0
Reply
Marco avatar
br flag
Marco
I use sssd with ldap, therefore I could only give some basic advise. Anything in `/var/log/sssd` ?
0
Reply
YaserMow avatar
cn flag
YaserMow
@marco I noticed something else also, that if I delete the `sssd` cache in `/var/lib/sssd/db`, the users that are able to login currently they won't be able to login either, but after recovering the cache they are able to login
0
Reply
Marco avatar
br flag
Marco
I have no experience with sssd and AD. I just know from my sssd with ldap, that usually the cache is a problem. If deleting the cache locks out others, there is something wrong with the config. And connecting Linux to whatever Windows works usually only temporary, till Microsoft decides to change something without notice. That's why I duplicated my AD in openldap.
0
Reply
Marco avatar
br flag
Marco
Maybe you get something in the sssd logs if you set `debug_level = 9` in the domain config. I guess the problem has something to do with the kerberos keytab. Have you changed hostnames or is something in DNS missing? Update Keytab? Something in samba changed?
0
Reply
YaserMow avatar
cn flag
YaserMow
I set the debug level to 9, and still was not getting anything. I will check on the hostname and keytab and see what happens
0
Reply
Score:0
YaserMow avatar Ubuntu
cn flag
YaserMow

The issue was with sss cache, I delete the cache with sss_cache -E and restarted the machine and seems everything is working fine, I guess even if I hadn't restarted the machine it would have started working, it needed some time for the changes to be applied

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.