RHEL7 and sssd: getent works but users cannot authenticate with passwords

In my situation, we used realm to install and configure sssd. Getent shows the domain users, and the groups are in /etc/ssh/sshd_config and /etc/sssd/sssd.conf. So why can my users not authenticate to the server?!

I get this error:

May 01 13:53:43 lhostname sshd[22167]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=l982487.prod1.example.com user=bgstack15
May 01 13:53:44 lhostname sshd[22167]: Failed password for bgstack15 from 10.155.16.240 port 34340 ssh2

What eventually solved the problem was fixing /etc/pam.d/system-auth-ac and also /etc/pam.d/password-auth-ac. Either file by itself did not seem to help. It looks like authconfig may have messed up or was not used or something. I don’t bother using it myself because I just modify pam myself. Yes, this makes me a terrible admin.

/etc/pam.d/system-auth-ac

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        required      pam_faillock.so preauth silent deny=4 unlock_time=1200
auth        sufficient    pam_fprintd.so
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_faillock.so authfail deny=4 unlock_time=1200
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so minlen=16 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

/etc/pam.d/password-auth-ac

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        required      pam_faillock.so preauth silent deny=4 unlock_time=1200
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so minlen=16 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok

auth        required      pam_faillock.so authfail deny=4 unlock_time=1200

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
Advertisements

Python get Linux-compatible password hash

This snippet gets you a sha-512 ($6) password hash suitable for putting in /etc/shadow.

# Reference: https://www.shellhacks.com/linux-generate-password-hash/
# python 2
import crypt, getpass, sys;
if len(sys.argv) >= 2: 
 thisraw=str(sys.argv[1]);
else:
 thisraw=getpass.getpass(prompt='New password: ')
 #sys.exit(1)
print(crypt.crypt(thisraw,crypt.mksalt(crypt.METHOD_SHA512)))

Ansible playbook that changes root password

I wrote a playbook that updates the root password on EL6 and EL7 hosts.

Because I was not able to get the user: name=root password={{password}} directive working, I had to be creative.

Coincidentally, I learned that pasting in a gist.github.com link into the WordPress.com editor automatically shows the contents of the gist. That is nifty! See below. For the link: https://gist.github.com/bgstack15/d565880badb92599536b751a15dc7189

Ssh use password this time

Problem

If you normally use passwordless authentication for your ssh sessions, you know how helpful it is. It saves you from having to type your password in all the time. You might have ssh keys set up (ssh-keygen) or kerberos.

In either case, you found this post because you want to use ssh with a password this time. You need to force ssh to use the password, just this once, without having to make all sorts of complicated requirements.

Solution

In either case, you found this post because you want to use ssh with a password this time. You need to force the password. Here’s how to do that:

function sshp { ssh -o PreferredAuthentications=password,keyboard-interactive -o PubkeyAuthentication=no -o GSSAPIAuthentication=no "$@"; }

The above snippet comes from my latest and greatest bgscripts.bashrc in my bgscripts package.

What the function does is execute ssh with a few extra options, that are very straightforward. It specifically lists the preferred methods for authentication, while disabling public key (which is what most people use) and kerberos auth (GSSAPI).

References

Weblinks