We help IT Professionals succeed at work.
Troubleshooting Question

Authentication to Linux using Windows AD

99 Views
Last Modified: 2020-10-28

I am wanting to set up our Oracle Linux v7 to authenticate users using our Windows AD.  

Only certain users will be allowed to log into the server (i.e. operators for server boots and DBAs).

I followed the instructions in MyOracleSupport "Oracle Linux: How to Join Oracle Linux server to Windows Active Directory (AD) Domain (Doc ID 2653397.1)"

As a result, I can see our domain and, while logged in as root, can "SU" to my own AD user name.  

But I can't log into the server from the login prompt using the same AD user name. I get "Access Denied".

I don't know much about Windows AD except to create users and assign them to the appropriate groups.  
For Linux, my knowledge is OK.

How do I fix it so only certain persons can log into the Linux server directly with their AD account?

What steps am I missing in the authentication process?
Comment
Watch Question

Peter HutchisonSenior Network Systems Specialist
CERTIFIED EXPERT

Commented:
You can configure SSH to allow or deny individuals or groups of users. E.g. DenyUsers MiscUsers.
https://ostechnix.com/allow-deny-ssh-access-particular-user-group-linux/ 
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Check the ssh log to see why the denial.
When you entering the ad username, is the AD domain included in the username entry?
Is your AD entry include a uid:gid? Is your system setup to create the user homedir if missing?
Julie KurpaSr. Systems Programmer

Author

Commented:
Hi Arnold,
For sure the configuration is set up to create the user homedir.  

Where can I find the ssh log?  I tried signing in using my own domain account and see the following errors in the /var/log/messges file:

Sep 25 13:52:44 servername [sssd[krb5_child[21721]]]: Cannot find key for restrictedkrbhost/servername.mydomain@mydomain kvno 2 in keytab
Sep 25 13:52:44 servername [sssd[krb5_child[21721]]]: Cannot find key for restrictedkrbhost/servername.mydomain@mydomain kvno 2 in keytab
Julie KurpaSr. Systems Programmer

Author

Commented:
Mr. Hutchison,
I added my domain user account (I'll call it "mylogin") to the /etc/ssh/sshd_config file (I just put "AllowUsers mylogin" at the bottom of the file.   Restarted the sshd service.  Tried to login and got the the denied message.

In statusing the sshd service, it's running but I'm seeing the following messages:

Sep 25 13:58:37 myserver.mydomain sshd[22811]: User mylogin@covdnssrv.co.volusia.fl.us from workstation.covdnssrv.co.volusia.fl.us not allowed because not listed in AllowUsers
Sep 25 13:58:37 myserver.mydomain sshd[22811]: input_userauth_request: invalid user mylogin [preauth]
Sep 25 13:58:40 myserver.mydomain sshd[22811]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=workstation.covdnssrv.co.volusia.fl.us user=mylogin
Sep 25 13:58:40 myserver.mydomain sshd[22811]: pam_sss(sshd:auth): received for user mylogin: 17 (Failure setting user credentials)
Sep 25 13:58:43 myserver.mydomain sshd[22811]: Failed password for invalid user mylogin from 10.10.10.10 port 64395 ssh2
Sep 25 13:58:47 myserver.mydomain sshd[22811]: Connection closed by 10.10.10.10 port 64395 [preauth]
Julie KurpaSr. Systems Programmer

Author

Commented:
Here is what my /etc/sssd/sssd.config looks like:

[sssd]
default_domain_suffix = mydomain
domains = mydomain
config_file_version = 2
services = nss, pam, ssh

[domain/mydomain]
ad_domain = mydomain
krb5_realm = mydomain
realmd_tags = manages-system joined-with-adcli joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
override_homedir = /home/%u
access_provider = ad
enumeration = True
Julie KurpaSr. Systems Programmer

Author

Commented:
Here's the output from the  "realm list" command:

mydomain
  type: kerberos
  realm-name: mydomain
  domain-name: mydomain
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U@mydomain
  login-policy: allow-realm-logins


Julie KurpaSr. Systems Programmer

Author

Commented:
systemctl status sssd.service -l

● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-09-25 14:43:02 EDT; 9min ago
 Main PID: 26929 (sssd)
   CGroup: /system.slice/sssd.service
           ├─26929 /usr/sbin/sssd -i --logger=files
           ├─26930 /usr/libexec/sssd/sssd_be --domain mydomain --uid 0 --gid 0 --logger=files
           ├─26933 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
           ├─26934 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
           └─26935 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --logger=files

Sep 25 14:43:02 myserver.mydomain sssd_be[26930]: GSSAPI client step 1
Sep 25 14:43:02 myserver.mydomain sssd_be[26930]: GSSAPI client step 2
Sep 25 14:43:03 myserver.mydomain sssd_be[26930]: GSSAPI client step 1
Sep 25 14:43:03 myserver.mydomain sssd_be[26930]: GSSAPI client step 1
Sep 25 14:43:03 myserver.mydomain sssd_be[26930]: GSSAPI client step 1
Sep 25 14:43:03 myserver.mydomain sssd_be[26930]: GSSAPI client step 2
Sep 25 14:43:03 myserver.mydomain sssd[26929]: ; TSIG error with server: tsig verify failure
Sep 25 14:43:03 myserver.mydomain sssd[26929]: update failed: REFUSED
Sep 25 14:43:03 myserver.mydomain sssd[26929]: ; TSIG error with server: tsig verify failure
Sep 25 14:43:03 myserver.mydomain sssd[26929]: update failed: REFUSED
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
when you are loging in, are you using username@addomainname?

if your ad is mydomain, when you are loging in your username is username@mydomain?

Look within /etc/ssh/sshd_config and see if you can disable GSSAPI and see if that makes a difference.
Try to see if it authenticates through local system calls.

look for the "TSIG error with server: tsig verify failure "  as there are different fixes depending on which issue is impacting your situation.
Julie KurpaSr. Systems Programmer

Author

Commented:
login as: mylogin@mydomain
mylogin@mydomain@myserver's password:
Access denied
mylogin@mydomain@myserver's password:


In /var/log/messages file, I see the following lines:

Sep 25 15:08:26 myserver [sssd[krb5_child[29921]]]: Preauthentication failed
Sep 25 15:08:26 myserver [sssd[krb5_child[29921]]]: Preauthentication failed
Sep 25 15:08:26 myserver [sssd[krb5_child[29921]]]: Preauthentication failed



Julie KurpaSr. Systems Programmer

Author

Commented:
In /etc/ssh/sshd_config, I changed line:

GSSAPIAuthentication yes

to:
GSSAPIAuthentication no

restarted sshd and retried to login using my domain account and got same error.  /var/log/messages shows same Preauthentication failed message. 
Julie KurpaSr. Systems Programmer

Author

Commented:
when I type "id mylogin@mydomain", it returns the AD information such as uid, and all gid groups I belong to. 
Julie KurpaSr. Systems Programmer

Author

Commented:
"id mylogin"  (without domain) works good too. 
Julie KurpaSr. Systems Programmer

Author

Commented:
systemctl status sshd shows the following when I try to login:

Sep 25 16:58:25 myserver.mydomain sshd[8920]: User mylogin@mydomain from myworkstation.mydomain not allowed because not listed in AllowUsers
Sep 25 16:58:25 myserver.mydomain sshd[8920]: input_userauth_request: invalid user mylogin@mydomain [preauth]
Sep 25 16:58:29 myserver.mydomain sshd[8920]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myworkstation.mydomain user=mylogin@mydomain
Sep 25 16:58:29 myserver.mydomain sshd[8920]: pam_sss(sshd:auth): received for user mylogin@mydomain: 17 (Failure setting user credentials)
Sep 25 16:58:31 myserver.mydomain sshd[8920]: Failed password for invalid user mylogin@mydomain from 10.10.10.10 port 49421 ssh2

the /etc/ssh/sshd_config contains on the last line:
AllowUsers mylogin@mydomain
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
if your domain is included by default as a realm search, try using the mylogin only.
please make sure you do not have both
check for mylogin in /etc/passwd
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Does your sshd_config restricts which users can access. Or which group, the issue is your group selection unless it references a domain group, will not include a domain account.
Try AllowUsers mylogin with and without.
Restart ssh.
Julie KurpaSr. Systems Programmer

Author

Commented:
Well now I'm having a new problem.  Can't even log in as root now.  Access denied.  I must have broken something. 
Julie KurpaSr. Systems Programmer

Author

Commented:
Was able to log into the gui console (was using Putty).  Removed "AllowUsers mylogin" from /etc/ssh/sshd_config, restarted sshd and can use Putty again.  

That's about all the fun my nerves can take today.  Weekend.  Will resume on Monday.  I hope you are available to lend me a hand on monday.  Thank you. 
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
As you noted, AllowUsers restricts who can login on the basis of entries on the line
I usually desirable root login, AllowRootLogin no
I use another account that has sudo rights.
I think your criteria to allow only specific users can access requires the use of AllowUsers where you list each user so authorized.
Julie KurpaSr. Systems Programmer

Author

Commented:
Perhaps we could take a few steps backward and identify what steps should be taken to allow an AD user account to log into my Linux server.  The flavor of this Linux is Oracle Linux.  At this time, I want root user to be able to log in.  

I followed the steps outlined in an Oracle document (Doc ID 2653397.1 ) and was able to get the linux to see the AD servers.  I can post the steps I took if you want.  As "root", I can "su - {ad user account}" just fine.   But I cannot directly log in as that AD user.  

What can I provide to help you see how I am currently set up and how I can get the desired AD accounts working? I need specific instructions as I am not proficient at Linux.

Thank you for your help. 
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Try again while you have an active session
Edit sshd_config
AllowGroups root other adgroupofaccess
AllowUsers root username username@addomain
Save
Ps -ef | grep sshd
Kill the process whose parent id is 1, this is so you maintain your session..
Then try to login with your ad username
Then you can have a testuser member of adgroupofaccess and see if this account can login.

See if https://www.geekpills.com/operating-system/linux/limit-users-and-group-through-allowgroups-and-allowusers
Is helpful.
Julie KurpaSr. Systems Programmer

Author

Commented:
Thanks Arnold.  :)

For the line  "AllowGroups root other adgroupofaccess"  what does "other" mean?  And am I to assume "adgroupofaccess" means an group in AD that contains the users I want to have access?  If so, what if the group name has a space in it?
Julie KurpaSr. Systems Programmer

Author

Commented:
I went ahead and added my account as a AllowUser:

AllowGroup root other admin?group   <-- I put question mark for space
AllowUser root mylogin mylogin@mydomain

killed the process with parent of 1.
could not get an ssh session.  Started the sshd service.  got an ssh session but still got Access Denied for my AD account.

/var/log/messages shows:
Sep 29 12:58:28 myserver [sssd[krb5_child[3011]]]: Preauthentication failed


CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
In different systems root is not a group, but the root user is a member of other group.

Sorry, should have included the step to start ssh.
The kill directive of the sshd process, was to allow you to keep the existing session which if you restart the sshd service, it usually kills all sessions before starting back.

The manual termination allows the retention of existing connection while the new process starts with the new settings.


If you have a space in the group, try enclosed by a single quote.

The error you are getting is a Kerberos error failure to establish a secure connection to perform the query to see whether the password provided is valid.
You did not note, whether the new changes retain your ssh logins using non domain credentials to make sure you retain access post change.
Once functionality is confirmed, the attempt would be to reenable the gsss.
Or the issue with the Kerberos auth is in a way because of the termination, start of sshd for this test that a helper if any was not terminated by the kill of sshd parent and thus the tie-in on start did not occur.

The other possibility, before auth, sshd runs into issues to validate the AllowGroup, AllowUser entries.
Julie KurpaSr. Systems Programmer

Author

Commented:
I'm sorry I don't understand what I should do.  

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Try restarting sssd as this is where the issue is in the current denial.
Julie KurpaSr. Systems Programmer

Author

Commented:
Sorry it took so long to update.  Had my hands full yesterday.  

I added the two lines AllowGroups and AllowUsers to the /etc/sssd/sssd.conf file and am not able to restart the sssd service.  Here's the contents of the sssd.conf file:

[sssd]
default_domain_suffix = mydomain.com
domains = mydomain.com
config_file_version = 2
services = nss, pam, ssh

[domain/mydomain.com]
ad_domain = mydomain.com
krb5_realm = MYDOMAIN.COM
realmd_tags = manages-system joined-with-adcli joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
override_homedir = /home/%u
AllowGroups root other admin?group
AllowUsers root mylogin mylogin@mydomain.com

The error I am getting is:

● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2020-10-01 09:11:42 EDT; 8s ago
  Process: 25139 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
 Main PID: 25139 (code=exited, status=4)

Oct 01 09:11:42 myserver.mydomain.com systemd[1]: Starting System Security Services Daemon...
Oct 01 09:11:42 myserver.mydomain.com  sssd[25139]: SSSD couldn't load the configuration database [5]: Input/output error.
Oct 01 09:11:42 myserver.mydomain.com  systemd[1]: sssd.service: main process exited, code=exited, status=4/NOPERMISSION
Oct 01 09:11:42 myserver.mydomain.com  systemd[1]: Failed to start System Security Services Daemon.
Oct 01 09:11:42 myserver.mydomain.com  systemd[1]: Unit sssd.service entered failed state.
Oct 01 09:11:42 myserver.mydomain.com  systemd[1]: sssd.service failed.



Julie KurpaSr. Systems Programmer

Author

Commented:
Here's all the steps I did to get this to work before opening this question by following an Oracle document for getting AD authentication to work with Oracle Linux v7.  What else am I missing?


1.  yum install adcli sssd authconfig realmd krb5-workstation

2.  adcli info mydomain.com

[domain]
domain-name = mydomain.com
domain-short = MYDOMAIN
domain-forest = mydomain.com
domain-controller = myDC2.mydomain.com
domain-controller-site = Default-First-Site-Name
domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web
domain-controller-usable = yes
domain-controllers = myDC7.mydomain.com myDC2.mydomain.com
[computer]
computer-site = Default-First-Site-Name


3. adcli join -V mydomain.com

 * Using domain name: mydomain.com
 * Calculated computer account name from fqdn: MYSERVER
 * Calculated domain realm from name: MYDOMAIN.COM
 * Discovering domain controllers: _ldap._tcp.mydomain.com
 * Sending NetLogon ping to domain controller: mydc7.mydomain.com
 * Received NetLogon info from: MYDC.mydomain.com
 * Discovering site domain controllers: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.com
 * Sending NetLogon ping to domain controller: mydc2.mydomain.com
 * Received NetLogon info from: MYDC2.mydomain.com
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-80g2I4/krb5.d/adcli-krb5-conf-8swgAe
 ! Couldn't authenticate as machine account: MYSERVER: Preauthentication failed
Password for Administrator@MYDOMAIN.COM:
 * Authenticated as user: Administrator@MYDOMAIN.COM
 * Using GSS-SPNEGO for SASL bind
 * Looked up short domain name: MYDOMAIN
 * Looked up domain SID: S-1-5-21-1960408961-839522115-1801674531
 * Using fully qualified name: myserver.mydomain.com
 * Using domain name: mydomain.com
 * Using computer account name: MYSERVER
 * Using domain realm: mydomain.com
 * Calculated computer account name from fqdn: MYSERVER
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for MYSERVER$ at: CN=MYSERVER,OU=2016 Servers,OU=MYOU Servers,OU=Domain Member Servers,DC=mydomain,DC=com
 * Sending NetLogon ping to domain controller: mydc2.mydomain.com
 * Received NetLogon info from: MYDC2.mydomain.com
 * Set computer password
 * Retrieved kvno '1' for computer account in directory: CN=MYSERVER,OU=2016 Servers,OU=MYOU Servers,OU=Domain Member Servers,DC=mydomain,DC=com
 * Encryption type [1] not permitted.
 * Encryption type [3] not permitted.
 * Checking RestrictedKrbHost/MYSERVER
 *    Added RestrictedKrbHost/MYSERVER
 * Checking HOST/MYSERVER
 *    Added HOST/MYSERVER
 * Checking RestrictedKrbHost/MYSERVER.mydomain.com
 *    Added RestrictedKrbHost/MYSERVER.mydomain.com
 * Checking HOST/MYSERVER.mydomain.com
 *    Added HOST/MYSERVER.mydomain.com
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Encryption type [1] not permitted.
 * Encryption type [3] not permitted.
 * Discovered which keytab salt to use
 * Added the entries to the keytab: MYSERVER$@MYDOMAIN.COM: FILE:/etc/krb5.keytab
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Encryption type [1] not permitted.
 * Encryption type [3] not permitted.
 * Added the entries to the keytab: host/MYSERVER@MYDOMAIN.COM: FILE:/etc/krb5.keytab
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Encryption type [1] not permitted.
 * Encryption type [3] not permitted.
 * Added the entries to the keytab: host/myserver.mydomain.com@MYDOMAIN.COM: FILE:/etc/krb5.keytab
 * Encryption type [1] not permitted.
 * Encryption type [3] not permitted.
 * Added the entries to the keytab: RestrictedKrbHost/MYSERVER@MYDOMAIN.COM: FILE:/etc/krb5.keytab
 * Encryption type [1] not permitted.
 * Encryption type [3] not permitted.
 * Added the entries to the keytab: RestrictedKrbHost/myserver.mydomain.com@MYDOMAIN.COM: FILE:/etc/krb5.keytab

4. Modify krb5.conf.  It now looks like this: krb5.conf
 
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = MYDOMAIN.COM
[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

 MYDOMAIN.COM = {
 kdc = MYDC2.mydomain.com mydc7.mydomain.com
 admin_server = MYDC2.mydomain.com mydc7.mydomain.com

 }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
 mydomain.com = MYDOMAIN.COM
 .mydomain.com = MYDOMAIN.COM

 
5. Klist -k

[root@myserver]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 restrictedkrbhost/myserver.mydomain.com@MYDOMAIN.COM
   1 restrictedkrbhost/MYSERVER@MYDOMAIN.COM
   1 restrictedkrbhost/myserver.mydomain.com@MYDOMAIN.COM
   1 restrictedkrbhost/MYSERVER@MYDOMAIN.COM
   1 restrictedkrbhost/myserver.mydomain.com@MYDOMAIN.COM
   1 restrictedkrbhost/MYSERVER@MYDOMAIN.COM
   1 restrictedkrbhost/myserver.mydomain.com@MYDOMAIN.COM
   1 restrictedkrbhost/MYSERVER@MYDOMAIN.COM
   1 restrictedkrbhost/myserver.mydomain.com@MYDOMAIN.COM
   1 restrictedkrbhost/MYSERVER@MYDOMAIN.COM
   1 RestrictedKrbHost/MYSERVER@MYDOMAIN.COM
   1 RestrictedKrbHost/MYSERVER@MYDOMAIN.COM
   1 host/myserver.mydomain.com@MYDOMAIN.COM
   1 host/MYSERVER@MYDOMAIN.COM
   1 host/myserver.mydomain.com@MYDOMAIN.COM
   1 host/MYSERVER@MYDOMAIN.COM
   1 MYSERVER$@MYDOMAIN.COM
   1 MYSERVER$@MYDOMAIN.COM
   1 MYSERVER$@MYDOMAIN.COM
   1 host/MYSERVER@MYDOMAIN.COM
   1 host/myserver.mydomain.com@MYDOMAIN.COM
   1 RestrictedKrbHost/MYSERVER@MYDOMAIN.COM
   1 RestrictedKrbHost/myserver.mydomain.com@MYDOMAIN.COM
   1 RestrictedKrbHost/myserver.mydomain.com@MYDOMAIN.COM
   1 RestrictedKrbHost/myserver.mydomain.com@MYDOMAIN.COM

6. Ran the following command to do updates to nsswitch.conf (I think). I didn't get any errors.

authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
 

7. configure sssd.conf to look similar to example given in Oracle instructions.  I made mine like this. There was no mention of using AllowGroups or AllowUsers in the instructions.

[sssd]
default_domain_suffix = mydomain
domains = mydomain.com
config_file_version = 2
services = nss, pam, ssh

[domain/mydomain.com]
ad_domain = mydomain.com
krb5_realm = MYDOMAIN.COM
realmd_tags = manages-system joined-with-adcli joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
override_homedir = /home/%u


8. Enable SSSD

systemctl enable sssd
systemctl start sssd


9.  Fetch ID for Administrator and my login.  I filtered this but the output showed pretty much every group this user has access to.

# id Administrator
uid=1790800500(administrator@mydomain.com) gid=790800513(domain users@mydomain.com) groups=1790800513(domain admins@mydomain.com)

# id mylogin
[root@cjisdata19p]# id mylogin
uid=1790838736(mylogin@mydomain.com) gid=1790800513(domain users@mydomain.com) groups=1790800513(domain admins@mydomain.com)


10.  Do these commands

#systemctl start oddjobd
#systemctl enable oddjobd
#systemctl enable messagebus
#systemctl start messagebus


11. Now try to su as a Administrator and other user you want to have access.  It worked for both Administrator and my own login.

# su - mylogin
Last login: Thu Oct  1 09:51:34 EDT 2020 on pts/0
[mylogin@mydomain.com@myserver ~]$

The su - mylogin works!
BUT I can't directly log into the server using my login.  I can only do it if I "su - mylogin" from root.  



Julie KurpaSr. Systems Programmer

Author

Commented:
I have added at the bottom of the /etc/ssh/sshd_config and restarted it:

AllowGroups root other admin?group
AllowUsers root mylogin mylogin@mydomain.com

I see the following errors when I status sshd:

Oct 01 17:07:19 myserver.mydomain.com sshd[11192]: User mylogin@mydomain.com from myworkstation@mydomain.com not allowed because not listed in AllowUsers
Oct 01 17:07:19 myserver.mydomain.com sshd[11192]: input_userauth_request: invalid user mylogin@mydomain.com [preauth]
Oct 01 17:07:23 myserver.mydomain.com sshd[11192]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myworkstation.mydomain.com user=mylogin@mydomain.com
Oct 01 17:07:23 myserver.mydomain.com sshd[11192]: pam_sss(sshd:auth): received for user mylogin@mydomain.com: 6 (Permission denied)
Oct 01 17:07:24 myserver.mydomain.com sshd[11192]: Failed password for invalid user mylogin@mydomain.com from 10.6.1.18 port 51779 ssh2


CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
this is when you enter mylogin?
myworkstation@mydomain.com it suggests that you need to add the workstation into the AllowUser list
Seems odd that it tries to validate the connection itself?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
not sure if it is still valid to use wbinfo
-u or -g
see how the group is displayed
or try group\ name
\ is an escape to treat the space a a literal versus a separation character
Julie KurpaSr. Systems Programmer

Author

Commented:
Still trying but not working. Same error.  I opened a case with Oracle support and they are trying to figure it out.  I'll update if a solution is found. 
Julie KurpaSr. Systems Programmer

Author

Commented:
Still working on this.  Will update soon.

Julie KurpaSr. Systems Programmer

Author

Commented:
Somewhere I must have made a typo and kept missing it.  

I "left" the realm to start all over:

#  realm leave -v mydomain.com

Then this command showed me no output .  Good.  
# realm list

Did all steps over again detailed in the oracle document Doc ID 2653397.1  and was able to log in as an AD user.  
I have no idea what I did wrong as everything looks the same as before.

I've been experimenting with trying to restrict which AD users can log in (via ssh or console) but have not been successful yet.  

Julie KurpaSr. Systems Programmer

Author

Commented:
btw... I can log in as any AD user with or without domain:

mylogin   or  mylogin@mydomain.com
Julie KurpaSr. Systems Programmer

Author

Commented:
Adding the AllowGroups and AllowUsers to the /etc/ssh/sshd_config file like below denies all AD accounts including the one I have in the AllowUsers.  When I take it out, I can login with any AD account.

AllowGroups root other admin?group
AllowUsers root mylogin mylogin@mydomain.com
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Even if you comment out, the AllowGroup?

AllowGroup might rely on a method not present/available in the setup.
Julie KurpaSr. Systems Programmer

Author

Commented:
Put only the AllowUsers

AllowUsers root mylogin mylogin@mydomain.com

Also tried:

AllowUsers root mylogin

Still got Access Denied.

I take it out and I can get in just fine. 
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
It seems that the Tie-in between the SSH and the verification part is askew.
That mylogin in the AllowUser is not validated when the username is passed through.
Try the following, setup SSH keys and see if the AllowUser mylogin with PublicKeys exhibits a different behavior.
if you include both mylogin and mylogin@mydomain on the AllowUsers?
Does /var/log/security or if you adjusted the /var/log/audit reflect any events related to SSH trying to validate the AllowUsers parameters?
Julie KurpaSr. Systems Programmer

Author

Commented:
I tried something I found via Googling.  I added to the /etc/security/access.conf file and was able to restrict users based on which group they belonged to.  

The "Domain\testgroup" is my domain plus the AD group my test user belongs to.  

+ : Domain\testgroup : ALL
+ : root : ALL
- : ALL : ALL

Now I'm trying to figure out how to use an AD group with a space in the name.  I've found that I need to set the "listsep" but I can't find any examples on how to set it.
Julie KurpaSr. Systems Programmer

Author

Commented:
I've got it working to allow AD groups with spaces in the name.  So for AD group called "My Group", here's examples:

I added the "listsep=," to the "pam_access.so" line in the following files:

/etc/pam.d/system-auth-ac
/etc/pam.d/password-auth-ac

So that the line for pam_access.so looks like this:

account required pam_access.so listsep=,

Then I removed the spaces from the /etc/security/access.conf file so my entries look like this:

+:my.domain.org\My Group:ALL
+:root:ALL
-:ALL:ALL  

This is working great.  
Now I am trying to get it to work for an individual AD user who is not in the "My Group" AD group. No matter what I try, I can't get it to work.  
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Excellent,

+:mylogin:ALL
+:my.domain.org\mylogin:ALL
Based on your example

Or look at whether there is an include option to include a separate file.
Though consideration is whether the file/s are rescanned anew on each connection, or the service needs restarting.
Julie KurpaSr. Systems Programmer

Author

Commented:
Thanks Arnold.  :)
For sure nothing needs to get restarted when modifying the access.conf file.  I tested this by adding another domain group that my test user was a member.  Immediately the test user could log in.  Remove the entry for that domain group...immediately no access. When denied access, the behavior is to disconnect the session.

Here are the formats I've tried for that user entry.  

+:mylogin:ALL
+:my.domain.org\mylogin:ALL
+:mylogin@my.domain.org:ALL

I changed the order so that the entry for mylogin was both before and after the group entry but no go on that either.  I made sure to keep it before the +:root:ALL  which is the 2nd to the last entry.  
Tried adding it to the /etc/ssh/sshd_config like we were trying before but got an "access denied" error in the login screen of the ssh session.  A little different of a denial.
I wondered about using UID but haven't been able to find any information on it.  Will continue to research and post any findings. The SR I have open with Oracle has not been helpful at all. 
Julie KurpaSr. Systems Programmer

Author

Commented:
Finally closed SR with oracle. No help at all on their Oracle Linux in figuring out how to grant login privs to an individual AD user account.  

Boss says we'll just stick to AD groups.

Thanks so much for your help. 
Sr. Systems Programmer
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions