AD User cannot log into Linux client

NethServer Version: 7.9.2009 (final)

Hi - not, I guess, a Nethserver problem, but don’t know who else would have an idea.

I have Nethserver set up as an Active Directory Domain Controller, and can log in with one Linux client. But with another Linux client, I am getting an error

 pam_sss(login:account): Access denied for user harry: 4 (System error)

id harry, getent passwd harry, and getent group harry all return what seem to be appropriate values. I cannot see any difference in the /etc/sssd/sssd.conf, nsswitch.conf,

The user seems to get authenticated and then access gets denied.

Any suggestions would be appreciated. Either that or I reinstall the client.

@Don_Robertson

Hi

Might be helpful to know what versions and flavour of Linux you’re running on those 2 clients (working and not working)…

Verify that you’re using the same DNS on both clients - it should be your NethServer…

My 2 cents
Andy

We noticed that every time a user changes his password this happens to him. In fact he can still log into the Linux client using the old password but can’t mount samba shares as nethserver requires the new password.
So we suspect some kind of credential caching on the Linux client but could not track this down so far.
To resolve it (until next password change) just disconnect and reconnect the Linux client to AD.

Don’t know the answer but here are some troubleshooting tips:

The same user can login from a linux client but fails to login from another client?
Noob question: does the client has a cache that can be cleared (sss_cache -u username or sssctl cache-expire -u username)?

Looks good, thanks. Will try next time the problem appears.

have tried
sss_cache -M
and leaving and rejoining the realm.

The only thing that makes sense to me from the debugging page is:

I’m receiving System Error (4) in the authentication logs

  • System Error is an “Unhandled Exception” during authentication. It can either be an SSSD bug or a fatal error during authentication. Either way, please bring up your issue on the sssd-users mailing list

Setting access_provider = permit in the sssd.conf lets me log in - I think the easiest thing to do will be to backup everything and then reinstall when I have a free moment.

Hello, what linux distro do you have? I have several clients accredited on AD nethserver, I only found difficulties with oracle and ubuntu 20. The rsto works well, both from ssh and from GDM.