On 01/12/2017 08:49 AM, jake.ridd...@gmail.com wrote: > The target host logs this in /var/log/secure: > > Jan 12 11:20:41 jr-centos sshd[2892]: pam_sss(sshd:auth): authentication > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=[REDACTED] user=bob > > Jan 12 11:20:41 jr-centos sshd[2892]: pam_sss(sshd:account): Access denied for > user bob: 6 (Permission denied) > > Jan 12 11:20:41 jr-centos sshd[2892]: Failed password for bob from > 192.168.56.98 > port 45070 ssh2 > > Jan 12 11:20:41 jr-centos sshd[2892]: fatal: Access denied for user bob by PAM > account configuration [preauth]
... > To be clear, the configuration is working fine, I don’t expect bob to get > access > to the jr-centos server and I can get user “bob” to log in if I add him to the > relevant AD group. However, the abrupt SSH disconnection is not very user > friendly and something like “Access denied due to policy” or whatever would be > more useful. Is the lack of useful (any) message due to something in my > environment, or does this require a feature request/improvement? The line "pam_sss(sshd:account): Access denied for user bob: 6 (Permission denied)" literally means "access denied due to policy". That's what (sshd:account) is. It's the access-control check. You see just above that where (sshd:auth) reported authentication success. So the user is authenticated and the next failure is access-control. SSSD doesn't control these log messages; they come from SSH/PAM.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
