active directory fatal: Access denied for user by PAM account configuration

最新推荐文章于 2024-06-20 10:08:45 发布
最新推荐文章于 2024-06-20 10:08:45 发布
阅读量3.7k 收藏
点赞数
分类专栏: 运维
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_39833509/article/details/111386425
版权

 

There is 8 Linux servers configed with SSSD for AD user login auth. Please find the sssd, pam system_auth, password_auth & sshd config file from the attached. But the issue is I can not use all AD user to ssh login server, here is AD user "jsun" for example. Linux local user login is fine. From journal log, I can see below error:


yum reinstall pam completed successfully. But AD user ssh connect to server still showing "Authentication failed". Nothing different.
Journal log is still showing the same error as below:
Dec 18 15:57:12 mertvd1 sshd[16839]: debug1: userauth-request for user shshe service ssh-connection method none [preauth]
Dec 18 15:57:12 mertvd1 sshd[16839]: debug1: attempt 0 failures 0 [preauth]
Dec 18 15:57:12 mertvd1 sshd[16839]: debug2: parse_server_config: config reprocess config len 767
Dec 18 15:57:12 mertvd1 sshd[16839]: debug2: monitor_read: 8 used once, disabling now
Dec 18 15:57:12 mertvd1 sshd[16839]: debug2: input_userauth_request: setting up authctxt for shshe [preauth]
Dec 18 15:57:12 mertvd1 sshd[16839]: debug2: input_userauth_request: try method none [preauth]
Dec 18 15:57:12 mertvd1 sshd[16839]: debug1: PAM: initializing for "shshe"
Dec 18 15:57:12 mertvd1 sshd[16839]: debug1: PAM: setting PAM_RHOST to "mkotst.internal"
Dec 18 15:57:12 mertvd1 sshd[16839]: debug1: PAM: setting PAM_TTY to "ssh"
Dec 18 15:57:12 mertvd1 sshd[16839]: debug2: monitor_read: 100 used once, disabling now
Dec 18 15:57:12 mertvd1 sshd[16839]: debug2: monitor_read: 4 used once, disabling now
Dec 18 15:57:12 mertvd1 sshd[16839]: debug2: monitor_read: 80 used once, disabling now
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: userauth-request for user shshe service ssh-connection method password [preauth]
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: attempt 1 failures 0 [preauth]
Dec 18 15:57:20 mertvd1 sshd[16839]: debug2: input_userauth_request: try method password [preauth]
Dec 18 15:57:20 mertvd1 sshd[16839]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=mkotst.internal user=shshe
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: PAM: password authentication accepted for shshe
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: do_pam_account: called
Dec 18 15:57:20 mertvd1 be[internal][30312]: Group Policy Container with DN [cn={70638449-FAE7-4C2F-9061-0D9BFBF28DB8},cn=policies,cn=system,DC=internal] is unreadable or has unreadable or m
Dec 18 15:57:20 mertvd1 be[internal][30312]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
Dec 18 15:57:20 mertvd1 sshd[16839]: Failed password for shshe from 10.175.120.49 port 56450 ssh2
Dec 18 15:57:20 mertvd1 sshd[16839]: fatal: Access denied for user shshe by PAM account configuration [preauth]
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: do_cleanup [preauth]
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: monitor_read_log: child log fd closed
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: do_cleanup
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: PAM: cleanup
Dec 18 15:57:20 mertvd1 sshd[16839]: debug1: Killing privsep child 16840

 

 

Resolution:

Command authconfig --updateall will work.

Actually, it is "account     required      pam_deny.so" wrongly configed. 

update to "account     required      pam_permit.so", also works

[root@mertvd1 ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_tally2.so deny=5
auth        required      pam_faildelay.so delay=2000000
auth    required pam_listfile.so item=user sense=deny file=/etc/security/users onerr=succeed
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_tally2.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_deny.so        #--->AD USER 被禁止登录

password    requisite     pam_pwquality.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 reject_username
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember=13
password    sufficient    pam_sss.so use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so






[root@mertvd1 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_tally2.so deny=5
auth        required      pam_faildelay.so delay=2000000
auth    required pam_listfile.so item=user sense=deny file=/etc/security/users onerr=succeed
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_tally2.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 reject_username
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember=13
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

 

weixin_888988
关注
专栏目录
Access denied for user ‘zhangsan_read_only‘@‘192.168.1.1‘(using password:YES)数据库连接报错,以下几种方法总能解决你的问题!
zhiyoujiu的博客
04-23 1173
Access denied for user 'zhangsan_read_only'@'192.168.1.1'(using password:YES)数据库连接报错,以下几种方法总能解决你的问题!
linux的pam验证
hao18692659499的博客
04-13 6044
PAM:可插拔的认证模块 模块  /lib/security 接口配置文件  /etc/pam.d/ type auth  验证是否有该帐号 account  口令 帐号是否过期 password  用户修改口令 session   会话过程 control required    必须通过,           如果没有通过 ,测底否定  ,而且还要看后续模块
PAM认证导致用户登陆失败
最新发布
weixin_57036922的博客
06-20 751
(1)发现没有pam_tally.so文件却有pam_tally2.so这个文件,我们可以使用pam_tally2.so来代替pam_tally.so文件,进入到/etc/pam.d/目录下找到system-auth配置文件,查看配置文件中并没有基于pam_tally.so文件的auth模块和account模块,在配置文件中加入字段。ln -s /lib64/security/pam_tally2.so /lib64/security/pam_tally.so执行后root用户成功登录。
基于openssh 8.4p1源码包制作的OpenSSH rpm包的记录
ligaoman521的博客
10-20 2033
tar -xzf openssh-8.4p1.tar.gz ##openssh-8.4p1.tar.gz 源文件包不要删除,后面有用到;注:为安全起见,做好后手准备,安装一个telnet 或者 多打开链接几个标签。openssh-8.4p1.tar.gz openssh的源码包。恢复/etc/pam.d/sshd文件内容,重启sshd服务即可。报错1、/etc/pam.d/sshd 文件内容有变化。配置文件修改完毕,下面是所有的修改内容可cp,到此处恭喜,已生成想要的rpm包,
SSH出现Access Denied解决方法
fa1lr4in的小博客
01-11 7735
/etc/ssh/sshd_config中 1、PermitRootLogin由no改为yes 2、AllowUsers root 最后 service ssh restart
phpMyAdmin 报错:mysqli::real_connect(): (HY000/1045): Access denied for userpam‘@‘localhost‘ (using
liuruiaaa的博客
05-13 950
mysqli::real_connect(): (HY000/1045): Access denied for user 'root'@'localhost' (using password: NO)
Pam的配置过程
weixin_33788244的博客
12-24 520
PAM:可插拔的认证模块 模块/lib/security 接口文件/etc/pam.d/ type auth验证是否有该帐号 account口令帐号是否过期 password用户修改口令 session会话过程 control required必须通过, 如果没有通过,测底否定,而且还要看后续...
MySQL安装后无法登录——Access denied for user 'root'
生而为人我很抱歉
07-19 1058
使用rpm安装mysql后无法登录进入: ERROR 1045 (28000): Access denied for userroot’@’localhost’ (using password: NO) 解决办法:# /etc/init.d/mysql stop # mysqld_safe --user=mysql --skip-grant-tables --skip-networking
关于Access denied for user的错误
耀灵的博客
08-14 2675
今天用SpringMVC和JDBCTemplate连接数据库时,发现报错 八月 14, 2021 7:01:43 下午 com.alibaba.druid.support.logging.JakartaCommonsLoggingImpl error 严重: create connection SQLException, url: jdbc:mysql://127.0.0.1:3306/stu, errorCode 1045, state 28000 java.sql.SQLException: Acc
navicat 出现 access denied for user root 错误解决办法
程序员精进之路
03-11 5124
原因没有在其他ip地址上访问的权限。需要登录mysql然后修改权限。 1.ssh登录服务器 2.mysql指令进入msyql面板 3.GRANT ALL PRIVILEGES ON *.* TO'用户名'@'%' IDENTIFIED BY '密码' WITH GRANT OPTION; 4.flush privileges; ...
remote: HTTP Basic: Access denied 解决方法
海蒂
07-05 1343
Git账号密码有更新时,在终端pull代码提示remote: HTTP Basic: Access denied
git clone出现fatal: unable to access: SSL certificate problem: certificate has expired的解决方案
weixin_43178406的博客
06-06 9万+
本文主要介绍了git clone出现fatal: unable to access: SSL certificate problem: certificate has expired的解决方案,希望能对使用git的同学们有所帮助。 文章目录 1. 问题描述 2. 解决方案
Git错误--git remote: HTTP Basic: Access denied /// fatal: Could not read from remote repository.
ccmhzl的博客
10-31 1095
一、git安装成功后,clone时出现出错 1、 fatal: Could not read from remote repository. 2、HTTP Basic: Access denied 二、可能的原因: 1、SSH不对,更新ssh 2、是第一次输入账号密码时,出现错误,但是git又帮你记录下来了,每次都去读取错误的账户及密码。 三 、解决办法: 步骤 1、找到本地的gitconfig文...
linux git clone出现fatal: unable to access Failed to connect to github.com port 443: Timed out解决方案
热门推荐
herosunly的博客
04-09 12万+
本文主要介绍了linux git clone出现fatal: unable to access Failed to connect to github.com port 443: Timed out解决方案,希望对在Linux环境下使用git的同学有所帮助。 文章目录 1. 问题描述 2. 解决方案
LINUX普通用户登陆报错
hq181msn的专栏
02-17 4086
1,刚初始化后的LINUX主机,新建用户后登陆报Connection closed hadoop@cnsz0804's password: Connection closed by 10.12.25.114   2,检查/var/log/secure发现如下报错 Feb 17 16:36:26 cnsz0804 sshd[15800]: Connection closed by 10
CDH安装MySQL报错Access denied(拒绝登录)
Jecky的博客
08-12 385
安装cdh时出现一些问题,解决了好久 问题图 分发用户出现拒绝访问 经过排查原因如下: 这是因为出现了空用户 也就是匿名用户 什么是匿名用户? 看图 像这种user没有名字的就是匿名用户。 当我们输入以上指令登录时,mysql的匹配逻辑是这样的: 匹配host,匹配成功(匹配到一条或多条)就进入下一步 匹配user,匹配到第一条后停止,进入下一步 有匹配验证密码,没有密码提示输入密码 这里需要注意:匿名用户的user为空(’’),是可以匹配所有字符的,所以只要有匿名用户存在,其余普通用户在本机是登录不
linux cenos 7修改密码,Linux centos7忘记root密码,修改root密码
weixin_42502295的博客
05-05 292
1. 在本地用单用户模式进入系统,2. 直接passwd,报"passwd: Authentication Token Manipulation Error",搜了一下这个错误网上有多种解决方法,详见本文最后,可这些方法我都试了也没有起作用。3. #df -hl的时候,发现根文件系统满了,清出部分空间后,passwd更改密码仍然报上面那个错误;4. 查看/var/log/secure日志是,发现了...
Pycharm连接mysql遇到的坑,报错Access denied for userroot
Vermouth_00的博客
05-31 4463
昨天在尝试用pycharm连接mysql,从而在python中对数据库进行增删改查。但是在pycharm连接mysql这一步就遇到了几个很棘手的问题,看其他的教程很快就连接好了,但是我这里就总是报错,命令行连接mysql能够成功,但是ide中连接会报错,最后折腾了好几个小时才全部解决,这里记录一些问题的原因和解决方法,希望能帮助到同样遇到困难的人。
access denied for useruser‘@XX.XX.XX.XX (using password: yes)“ 报错原因
a1142939032的博客
10-09 2万+
"access denied for user 'user'@XX.XX.XX.XX (using password: yes)" 是一个数据库连接错误信息,表示用户 'user' 在指定的 IP 地址 XX.XX.XX.XX 下尝试进行数据库访问,但由于提供的密码错误,被拒绝了访问权限。
remote: HTTP Basic: Access denied fatal: Authentication failed for
08-26
对于"remote: HTTP Basic: Access denied fatal: Authentication failed for"错误,这通常是由于身份验证失败引起的。引用[1]提到了一个例子,它显示了使用git时可能出现的这种错误。解决此问题的一种方法是确保您输入的用户名和密码是正确的,并且对于某些情况,您可能需要生成一个访问令牌来代替密码进行身份验证。此外,您还可以检查您的网络连接是否正常,以确保没有阻止访问的问题。如果问题仍然存在,您可以查看相关的文档或寻求来自开发者社区的帮助,以获取更详细的解决方案。请注意,这里的引用提供了一些解决方案的链接,您可以进一步研究和了解相关问题的解决方法。<span class="em">1</span><span class="em">2</span><span class="em">3</span> #### 引用[.reference_title] - *1* *2* [remote: HTTP Basic: Access denied/fatal: Authentication failed for ‘http://xxx:xxx/xxx.git‘ 的解决...](https://blog.csdn.net/Hello_World_QWP/article/details/120887408)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v93^chatsearchT3_1"}}] [.reference_item style="max-width: 50%"] - *3* [mysql Access denied for userroot’@’localhost’ (using password: YES)解决方法](https://download.csdn.net/download/weixin_38624557/12830607)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v93^chatsearchT3_1"}}] [.reference_item style="max-width: 50%"] [ .reference_list ]
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值