3

I've setup my samba4 DC to get account information from a central AD provider via sssd. What I'd like to do now is permit some subset of these users to login via ssh (to linux machines) or via RDP (to windows machines).

I can get passwd information from the AD provider using getent passwd <name>. Unfortunately this is coming in with params that don't seem to work locally:

johndoe:*:53122:513:John Doe:\\nafs2\u204\johndoe:212578

The errors in /var/log/secure appear as follows:

Jul 16 03:42:46 beanbag sshd[3303]: User johndoe not allowed because shell 212578 does not exist Jul 16 03:42:46 beanbag sshd[3304]: input_userauth_request: invalid user johndoe Jul 16 03:42:50 beanbag sshd[3303]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=server.edu user=johndoe Jul 16 03:42:51 beanbag sshd[3303]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=server.edu user=johndoe Jul 16 03:42:51 beanbag sshd[3303]: pam_sss(sshd:auth): received for user johndoe: 6 (Permission denied) Jul 16 03:42:53 beanbag sshd[3303]: Failed password for invalid user johndoe from 10.95.20.20 port 1714 ssh2

What step(s) have I missed in getting sssd (and it's kin) setup?

CentOS 6.4 (x64)

NOTE: I have run authconfig --enablesssd --enablesssdauth --update.

EDIT: Fixed the first part of this problem - 'shell does not exist'.

FIX: in /etc/sssd/sssd.conf add these lines to the [nss] section:

allowed_shells = /bin/bash shell_fallback = /bin/bash

Now it attempts to create the (invalid) home directory \\nafs2\u204\johndoe and then returns a 'This account is currently not available.' error.

EDIT: If you use the entry override_shell = /bin/bash (or whatever) in your domain listing it will fix the above problem.

Improve this question

3 Answers 3

Reset to default
2

If I have understood the question correctly, then you must specify the user's shell.

In Active Directory Users and Computers, right-click the user account, select Properties, click the Unix Attributes tab, and specify a Login Shell like /bin/bash.

The Unix Attributes tab becomes available after installing Identity Management for UNIX Components role service, which is accomplished via Server Manager. It provides an extended schema with a partially RFC 2307-compliant set of UNIX attributes, like UID, GID, login shell, etc.

You also seem to have some sort of issue with the sssd configuration, as though the user is not in the right group to log in. I might try the sssd user mailing list for in-depth expert assistance. They are a very knowledgeable and friendly group.

Improve this answer
1
  • Unf I don't have access to settings on the AD provider. What is provided is what I have to work with (around). Commented Jul 16, 2014 at 11:55
1

This could appear due to a timeout in krb5 auth. It can be corrected adding the following line in sssd.conf :

krb5_auth_timeout = 60

Where 60 is the time needed.

Improve this answer
0

Unfortunately it sounds like you will need to have a change in AD.

In the Unix section of the account in AD is a "Login Shell" option, this will need to be set to /bin/bash or whatever shell. It may also be necessary to put a tick in the Unix Enabled box.

Just solved this where only one user was having this problem.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.