Access Denied to AD Users from Kubuntu clients joined to domain

After access over sssd has been working quite well for months today 3 of my 4 client kubuntu-machines stopped giving access, and I have no clue why. Rejoining them to ad doesn’t help this time.
/var/log/auth.log just says:

Jul 4 19:31:08 rechner1 sddm-helper: pam_unix(sddm:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=admin@ad.kb-ohnemus.de
Jul 4 19:31:11 rechner1 sddm-helper: pam_sss(sddm:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=admin@ad.kb-ohnemus.de
Jul 4 19:31:11 rechner1 sddm-helper: pam_kwallet5(sddm:auth): (null): pam_sm_authenticate
Jul 4 19:31:11 rechner1 sddm-helper: pam_sss(sddm:account): Access denied for user admin@ad.kb-ohnemus.de: 4 (System error)

Any hints or ideas please? Thanks.

Do these commands work on the server?

id "admin@ad.kb-ohnemus.de"
getent passwd "admin@ad.kb-ohnemus.de"
kinit -V "admin@ad.kb-ohnemus.de"

On the client, a join test is correct?

sudo net ads testjoin
Some troubleshooting documentation

https://wiki.nethserver.org/doku.php?id=howto:useful_commands#samba4
https://sssd.io/troubleshooting/basics.html

2 Likes

Hello, and thanks for your answer. Meanwhile another person had popped up with the same problem, and it seems to be related to ubuntu updates causing the problem:


I’ve followed that solution and it works so far, but don’t know if this has any drawbacks…

1 Like

That workaround is telling sssd to always allow access.
sssd troubleshooting states this:

I’m receiving Access denied for user $user: 6 (Permission denied)

  • Authentication went fine, but the user was denied access to the client machine. You can temporarily disable access control with setting access_provider=permit temporarily. Don’t forget to reset the access provider to a stricter setting after finding out the root cause!

So we should set that back to “ad” after this gets fixed in ubuntu.

What does always allow access mean? I still need correct credentials to log into ubuntu.

What are you using in kubuntu to access your AD?

PBIS?

I just followed these steps, part two (without the ZFS-part):

First time i ever see this, i am used to PBIS-Open ! :slight_smile:

wget -O - https://repo.pbis.beyondtrust.com/apt/RPM-GPG-KEY-pbis sudo apt-key add -

sudo wget -O /etc/apt/sources.list.d/pbiso.list https://repo.pbis.beyondtrust.com/apt/pbiso.list

sudo apt-get update

sudo apt-get install pbis-open

  • Restart.

Check if your domain is reachable
nslookup yourdomain.local

something like this…

sudo domainjoin-cli join --disable ssh yourdomain domainadmin@yourdomain

  • At first your sudo pass
  • Then your domain admin pass
  • Restart

@ssabbath

Hi Walter

Looks interesting, but hard to find PBIS on their page / site (beyondtrust.com).

It also looks like PBIS-Open is missing the most interesting part: GP (Group Policy) integration, which is only available in the (paid for) enterprise edition.

I’m always careful with such “open source” offers which have “Enterprise” options - simply with Open-Source, it would not be possible to make an enterprise version without resorting to a BLOB or something similiar… And a lot of such offers are often only eye catchers, and are dropped after a year or two.

If I can get AD to work using pure open source / samba, I do prefer that, even if it’s a mite more work.

My 2 cents
Andy

1 Like

Agreed! I will try that other way and see what changes lol! :slight_smile:

I never used GP in a Linux Enviroment… A.D. for me its only for user logon with linux stations. I did not even know that some GP was possible with linux.