Access Denied to AD Users from Kubuntu clients joined to domain

manuel_o · July 4, 2021, 5:40pm

After access over sssd has been working quite well for months today 3 of my 4 client kubuntu-machines stopped giving access, and I have no clue why. Rejoining them to ad doesn’t help this time.
/var/log/auth.log just says:

Jul 4 19:31:08 rechner1 sddm-helper: pam_unix(sddm:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=admin@ad.kb-ohnemus.de
Jul 4 19:31:11 rechner1 sddm-helper: pam_sss(sddm:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=admin@ad.kb-ohnemus.de
Jul 4 19:31:11 rechner1 sddm-helper: pam_kwallet5(sddm:auth): (null): pam_sm_authenticate
Jul 4 19:31:11 rechner1 sddm-helper: pam_sss(sddm:account): Access denied for user admin@ad.kb-ohnemus.de: 4 (System error)

Any hints or ideas please? Thanks.

dnutan · July 4, 2021, 7:06pm

Do these commands work on the server?

id "admin@ad.kb-ohnemus.de"
getent passwd "admin@ad.kb-ohnemus.de"
kinit -V "admin@ad.kb-ohnemus.de"

On the client, a join test is correct?

sudo net ads testjoin

Some troubleshooting documentation

https://wiki.nethserver.org/doku.php?id=howto:useful_commands#samba4
https://sssd.io/troubleshooting/basics.html

manuel_o · July 12, 2021, 7:57pm

Hello, and thanks for your answer. Meanwhile another person had popped up with the same problem, and it seems to be related to ubuntu updates causing the problem:

I’ve followed that solution and it works so far, but don’t know if this has any drawbacks…

dnutan · July 12, 2021, 11:47pm

That workaround is telling sssd to always allow access.
sssd troubleshooting states this:

I’m receiving Access denied for user $user: 6 (Permission denied)

Authentication went fine, but the user was denied access to the client machine. You can temporarily disable access control with setting access_provider=permit temporarily. Don’t forget to reset the access provider to a stricter setting after finding out the root cause!

manuel_o · July 13, 2021, 2:55am

So we should set that back to “ad” after this gets fixed in ubuntu.

manuel_o · July 14, 2021, 5:35am

What does always allow access mean? I still need correct credentials to log into ubuntu.

ssabbath · July 15, 2021, 11:51am

What are you using in kubuntu to access your AD?

PBIS?

manuel_o · July 15, 2021, 12:17pm

I just followed these steps, part two (without the ZFS-part):

ssabbath · July 16, 2021, 7:09pm

First time i ever see this, i am used to PBIS-Open !

wget -O - https://repo.pbis.beyondtrust.com/apt/RPM-GPG-KEY-pbis sudo apt-key add -

sudo wget -O /etc/apt/sources.list.d/pbiso.list https://repo.pbis.beyondtrust.com/apt/pbiso.list

sudo apt-get update

sudo apt-get install pbis-open

Restart.

Check if your domain is reachable
nslookup yourdomain.local

something like this…

sudo domainjoin-cli join --disable ssh yourdomain domainadmin@yourdomain

At first your sudo pass
Then your domain admin pass
Restart

Andy_Wismer · July 16, 2021, 7:42pm

@ssabbath

Hi Walter

Looks interesting, but hard to find PBIS on their page / site (beyondtrust.com).

It also looks like PBIS-Open is missing the most interesting part: GP (Group Policy) integration, which is only available in the (paid for) enterprise edition.

I’m always careful with such “open source” offers which have “Enterprise” options - simply with Open-Source, it would not be possible to make an enterprise version without resorting to a BLOB or something similiar… And a lot of such offers are often only eye catchers, and are dropped after a year or two.

If I can get AD to work using pure open source / samba, I do prefer that, even if it’s a mite more work.

My 2 cents
Andy

ssabbath · July 19, 2021, 11:27am

Agreed! I will try that other way and see what changes lol!

I never used GP in a Linux Enviroment… A.D. for me its only for user logon with linux stations. I did not even know that some GP was possible with linux.

Vitor_Hugo_Barbosa · September 1, 2021, 9:26pm

More control like Rsat on Linux is phpldapadmin