> On 22 Jul 2018, at 22:47, Farshid Mahdavipour <farch...@gmail.com> wrote: > > Hi, > > I have configured sssd.service to authenticate to AD on RHEL 7.5 and i have > successfully joined the rhel machine to AD. > but i cannot login to the machine with the AD account. > > here is the error when i try to login with the AD credential: > mahdavif@172.17.248.71's password: > Last login: Sun Jul 22 18:59:23 2018 from 172.17.253.11 > This account is currently not available.
I honestly don’t know without logs, see e.g. https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html > Connection to 172.17.248.71 closed. > > here is the sssd.conf: > # cat /etc/sssd/sssd.conf > ad_server = srv_addcp001, srv_addcp002 > [sssd] > domains = corp.example.com > config_file_version = 2 > services = nss, pam > [domain/corp.example.com] > ad_domain = corp.example.com > krb5_realm = CORP.example.com > krb5_auth_timeout = 60 > realmd_tags = manages-system joined-with-adcli > cache_credentials = True > id_provider = ad > krb5_store_password_if_offline = True > default_shell = /bin/bash > override_shell = /bin/bash > ldap_id_mapping = False > use_fully_qualified_names = False > fallback_homedir = /home/%u@%d > access_provider = ad > ad_server = srv_addcp001, srv_addcp002 > > here is the output of the realm list: > # realm list > corp.example.com > type: kerberos > realm-name: CORP.example.com > domain-name: corp.example.com > configured: kerberos-member > server-software: active-directory > client-software: sssd > required-package: oddjob > required-package: oddjob-mkhomedir > required-package: sssd > required-package: adcli > required-package: samba-common-tools > login-formats: %U > login-policy: allow-realm-logins > > This is the /var/log/secure when trying to login : > Jul 22 17:13:05 azrlvm003 sshd[7202]: pam_sss(sshd:auth): authentication > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.17.253.11 > user=mahdavif > Jul 22 17:13:05 azrlvm003 sshd[7202]: Accepted password for mahdavif from > 172.17.253.11 port 41628 ssh2 > Jul 22 17:13:06 azrlvm003 sshd[7202]: pam_unix(sshd:session): session opened > for user mahdavif by (uid=0) > Jul 22 17:13:06 azrlvm003 sshd[7209]: Received disconnect from 172.17.253.11 > port 41628:11: disconnected by user > Jul 22 17:13:06 azrlvm003 sshd[7209]: Disconnected from 172.17.253.11 port > 41628 > Jul 22 17:13:06 azrlvm003 sshd[7202]: pam_unix(sshd:session): session closed > for user mahdavif And here pam_sss is not even called, but the user seems to be found by pam_unix. This might indicate that the user is also present in the passwd/group files which is not recommended. > > sssd --version > 1.16.0 > > I really appreciate if you can help me. > Thanks > Farshid > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/DFHOAB3FDTP5YTUZAZPUUNHOUN3YNVCM/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/ISBQ3ZJWQOPEKQJNYPZDPFB5AAKDVUNN/