Utenti di Active Directory non in grado di accedere tramite SSH utilizzando SSSD e ottenendo "Autorizzazione negata, riprovare" [CentOS/RHEL]
Il problema
1. L'integrazione di un nodo Linux con Active Directory per l'autenticazione non riesce con l'errore "Autorizzazione negata, riprovare" durante la connessione tramite ssh:
# ssh [hostname] -l [username]@[DOMAINNAME].com The authenticity of host '[hostname] ([IP ADDRESS])' can't be established. RSA key fingerprint is 4f:3b:ba:b2:b7:6e:d0:b7:dd:a6:4b:32:ac:e3:58:63. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[hostname],[IP ADDRESS]' (RSA) to the list of known hosts. [username]@.com@[hostname]'s password: Permission denied, please try again. [username]@ .com@[hostname]'s password:
2. Verificato che nome utente e password siano corretti:
$ su - [username] # su - [username]@[DOMAINNAME].com
3. Gli errori di autenticazione possono essere osservati in /var/log/secure storia:
Apr 3 23:20:24 [hostname] sshd[323944]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ittwhxh1n62.na.admworld.com user=[username] Apr 3 23:20:24 [hostname] sshd[323944]: pam_tally2(sshd:auth): user [username] (1494516080) tally 11, deny 5 <<<<<<<<<<<<< Apr 3 23:20:26 [hostname] sshd[323944]: Failed password for [username] from [IP ADDRESS] port 51803 ssh2 Apr 3 23:20:34 [hostname] sshd[323944]: pam_tally2(sshd:auth): user [username] (1494516080) tally 12, deny 5 <<<<<<<<<<<<< Apr 3 23:20:37 [hostname] sshd[323944]: Failed password for [username] from [IP ADDRESS] port 51803 ssh2 Apr 3 23:20:40 [hostname] sshd[323944]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ittwhxh1n62.na.admworld.com user=[username] Apr 3 23:24:37 [hostname] sshd[338364]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ittwhxh1n62.na.admworld.com user=[username] Apr 3 23:24:37 [hostname] sshd[338364]: pam_tally2(sshd:auth): user [username] (1494516080) tally 13, deny 5 <<<<<<<<<<<<< Apr 3 23:24:39 [hostname] sshd[338364]: Failed password for [username] from [IP ADDRESS] port 51893 ssh2
Causa principale
Problema con uno o più file di configurazione:system-auth-ac e password-auth-ac , il modulo sssd è stato commentato nel file di configurazione di seguito:
$ grep sss /etc/pam.d/system-auth-ac # auth sufficient pam_sss.so use_first_pass # account [default=bad success=ok user_unknown=ignore] pam_sss.so # password sufficient pam_sss.so use_authtok # session optional pam_sss.so
$ grep sss /etc/pam.d/password-auth-ac # auth sufficient pam_sss.so use_first_pass # account [default=bad success=ok user_unknown=ignore] pam_sss.so # password sufficient pam_sss.so use_authtok # session optional pam_sss.so
Il modulo pam_tally2 è in conflitto con i moduli sssd:
$ cat etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth ##auth required pam_tally2.so deny=5 onerr=fail serialize >>>> #auth required pam_tally2.so deny=5 onerr=fail lock_time=600 serialize # EXADATA ACCESS CONTROL via /etc/exadata/security/exadata-access.conf account required pam_nologin.so account include password-auth account required pam_tally2.so password include password-auth pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session required pam_limits.so
# cat /etc/pam.d/login auth required pam_tally2.so deny=5 onerr=fail serialize
# cat/etc/pam.d/login account required pam_tally2.so
La soluzione
Nota :Fare attenzione a rimuovere tutti i file di backup nella directory /pam.d/.1. Commenta pam_tally2 righe in tutti i file di autenticazione sotto /etc/pam.d/* directory.
2. Commenta la riga menzionata nelle sezioni delle cause, [Abilita moduli sssd] come di seguito.
$ grep sss /etc/pam.d/system-auth-ac auth sufficient pam_sss.so use_first_pass account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_sss.so use_authtok session optional pam_sss.so
$ grep sss /etc/pam.d/password-auth-ac auth sufficient pam_sss.so use_first_pass account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_sss.so use_authtok session optional pam_sss.so