I’ve enabled the ssh login, but I cannot access in SSH.
I’ve also tried with an “old user”, and doesn’t work either.
Please check if there are clues of the ssh failed logins in /var/log/secure and /var/log/messages
You could also look at /var/log/sssd/ contents. There are some log files that can help too…
Oct 28 16:48:20 server sshd[6365]: Failed password for enrico from 82.49.202.236 port 64485 ssh2
Oct 28 16:48:18 server sshd[6365]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host236-202-dynamic.49-82-r.retail.telecomitalia.it user=enrico
All the sssd log are empty
Here we verified the auth fails for SSH and IMAP too
This sounds like saying: non-pam-based authentication services (like Samba) work…
Let’s see /etc/nsswitch.conf contents
And also /etc/pam.d/system-auth (if I’m not wrong about the file name…)
Those files are configured by realmd during the accounts provider setup.
Ok, this is my nsswitch.conf file
> [root@server ~]# cat /etc/nsswitch.conf
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Valid entries include:
> #
> # nisplus Use NIS+ (NIS version 3)
> # nis Use NIS (NIS version 2), also called YP
> # dns Use DNS (Domain Name Service)
> # files Use the local files
> # db Use the local database (.db) files
> # compat Use NIS on compat mode
> # hesiod Use Hesiod for user lookups
> # [NOTFOUND=return] Stop searching if not found so far
> #
>
> # To use db, put the "db" in front of "files" for entries you want to be
> # looked up first in the databases
> #
> # Example:
> #passwd: db files nisplus nis
> #shadow: db files nisplus nis
> #group: db files nisplus nis
>
> passwd: files sss
> shadow: files sss
> group: files sss
> #initgroups: files sss
>
> #hosts: db files nisplus nis dns
> hosts: files dns myhostname
>
> # Example - obey only what nisplus tells us...
> #services: nisplus [NOTFOUND=return] files
> #networks: nisplus [NOTFOUND=return] files
> #protocols: nisplus [NOTFOUND=return] files
> #rpc: nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks: nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files sss
>
> netgroup: nisplus sss
>
> publickey: nisplus
>
> automount: files nisplus sss
> aliases: files nisplus
And this is my /etc/pam.d/system-auth
> [root@server ~]# cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth required pam_faildelay.so delay=2000000
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 1000 quiet
> account required pam_permit.so
>
> password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
> password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> -session optional pam_systemd.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> session required pam_unix.soIIRC it should contain pam_sss somewhere… I cannot verify it now, maybe others can do it: please share it! /cc @support_team
What’s the story behind this server? How did you set it up? Did something fail? Did you uninstall some modules? Did you change the accounts provider?
Edit: here’s how it should be
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_
ass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3
authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_auth
ok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet us
_uid
session required pam_unix.so
session optional pam_sss.so
Nothing particular about this server.
I installed it on august as firewall + file server + AD Controller.
Some days ago my friend ask me for a chat service and I installed the ejabber admin that not works from the begins: i uninstalled the module and some configuration files (in /etc/ejabberd/) and reinstalled it some times…after tests I installed WebTop and Roundcube, nothing else.
How can I ask to the support?
I’ve see the correct /etc/Pam.d/system-auth: can I copy your one on mine? 
I’m not sure it fixes all your config… At least we found the issue!
Please attach the output of
ls -lF /etc/pam.d
> [root@server ~]# ls -lF /etc/pam.d
> total 140
> -rw-r--r-- 1 root root 192 Aug 16 20:46 chfn
> -rw-r--r-- 1 root root 192 Aug 16 20:46 chsh
> -rw-r--r--. 1 root root 232 Apr 11 2018 config-util
> -rw-r--r--. 1 root root 293 Apr 11 2018 crond
> -rw-r--r-- 1 root root 163 Mar 24 2017 dovecot
> -rw-r--r-- 1 root root 469 Oct 24 09:50 dovecot-master
> lrwxrwxrwx. 1 root root 19 Aug 14 12:45 fingerprint-auth -> fingerprint-auth-ac
> -rw-r--r--. 1 root root 702 Aug 14 12:45 fingerprint-auth-ac
> -rw-r--r--. 1 root root 70 Apr 10 2018 ksu
> -rw-r--r-- 1 root root 796 Aug 16 20:46 login
> -rw-r--r--. 1 root root 154 Apr 11 2018 other
> -rw-r--r--. 1 root root 188 Jun 10 2014 passwd
> lrwxrwxrwx. 1 root root 16 Aug 14 12:45 password-auth -> password-auth-ac
> -rw-r--r--. 1 root root 1033 Aug 14 12:45 password-auth-ac
> -rw-r--r--. 1 root root 155 Apr 11 2018 polkit-1
> -rw-r--r-- 1 root root 71 Aug 23 17:03 postgresql
> lrwxrwxrwx. 1 root root 12 Aug 14 12:45 postlogin -> postlogin-ac
> -rw-r--r--. 1 root root 330 Aug 14 12:45 postlogin-ac
> -rw-r--r--. 1 root root 144 Jun 10 2014 ppp
> -rw-r--r-- 1 root root 681 Aug 16 20:46 remote
> -rw-r--r-- 1 root root 71 Jan 25 2018 rh-postgresql94-postgresql
> -rw-r--r-- 1 root root 571 Oct 28 12:27 rspamd
> -rw-r--r-- 1 root root 143 Aug 16 20:46 runuser
> -rw-r--r-- 1 root root 138 Aug 16 20:46 runuser-l
> -rw-r--r-- 1 root root 177 Aug 16 17:44 samba
> -rw-r--r--. 1 root root 36 Apr 10 2018 screen
> lrwxrwxrwx. 1 root root 17 Aug 14 12:45 smartcard-auth -> smartcard-auth-ac
> -rw-r--r--. 1 root root 752 Aug 14 12:45 smartcard-auth-ac
> lrwxrwxrwx. 1 root root 25 Aug 14 12:38 smtp -> /etc/alternatives/mta-pam
> -rw-r--r--. 1 root root 76 Jun 10 2014 smtp.postfix
> -rw-r--r-- 1 root root 71 Sep 14 2017 squid
> -rw-r--r--. 1 root root 904 Apr 11 2018 sshd
> -rw-r--r-- 1 root root 214 Sep 26 21:00 sssd-shadowutils
> -rw-r--r-- 1 root root 540 Aug 16 20:46 su
> -rw-r--r--. 1 root root 202 Jun 27 20:03 sudo
> -rw-r--r--. 1 root root 187 Jun 27 20:03 sudo-i
> -rw-r--r-- 1 root root 137 Aug 16 20:46 su-l
> lrwxrwxrwx. 1 root root 14 Aug 14 12:45 system-auth -> system-auth-ac
> -rw-r--r--. 1 root root 1031 Aug 14 12:45 system-auth-ac
> -rw-r--r-- 1 root root 129 Sep 26 21:11 systemd-user
> -rw-r--r--. 1 root root 84 Aug 2 2017 vlock
is there any risk replacing the file system-auth? it’s a production server
Damn it! It’s correct 
Replacing that file shouldn’t harm, but there are also other authconfig-generated files that should be fixed accordingly: those with -ac suffix.
Before going further I’d check the past log files, to see if something went wrong in August.
If you decide to replace, make a copy and keep open a spare shell to avoid lockout.
Oh very good!
Witch log do you want check?
Well, let’s start with
/var/log/messages-*Davide, here the files:
https://www.icloud.com/iclouddrive/0yQj0oMYVaY2_GgK5neLWEY7A#messages-20181021
https://www.icloud.com/iclouddrive/0bJ0v_gPyfXZiAaQ9OcXMCUsw#messages-20181028
https://www.icloud.com/iclouddrive/0FfMv7ec0NeQGnNV4Br1nxRzg#messages-20181014
https://www.icloud.com/iclouddrive/0HRmk1RSXnIg3Dyi1rotbrp-g#messages-20181007
https://www.icloud.com/iclouddrive/0JUCJICbA7MIRuKuz-WApXTAA#messages
Thanks a lot.
Those are the archives of October… Do you still have the ones of August?
/var/log/messages-201808*Sorry Davide,
but (I don’t know why) I don’t have the August/September logs.
What do you advise in this case?
I’d try to reconfigure with authconfig. Please attach the output of
cat /etc/sysconfig/authconfig
And
authconfig --testThis is authconfig:
[root@server ~]# cat /etc/sysconfig/authconfig
CACHECREDENTIALS=yes
FAILLOCKARGS=“deny=4 unlock_time=1200”
FORCELEGACY=no
FORCESMARTCARD=no
IPADOMAINJOINED=no
IPAV2NONTP=no
PASSWDALGORITHM=sha512
USEDB=no
USEECRYPTFS=no
USEFAILLOCK=no
USEFPRINTD=no
USEHESIOD=no
USEIPAV2=no
USEKERBEROS=no
USELDAP=no
USELDAPAUTH=no
USELOCAUTHORIZE=yes
USEMKHOMEDIR=no
USENIS=no
USEPAMACCESS=no
USEPASSWDQC=no
USEPWQUALITY=yes
USESHADOW=yes
USESMARTCARD=no
USESSSD=yes
USESSSDAUTH=no
USESYSNETAUTH=no
USEWINBIND=no
USEWINBINDAUTH=no
WINBINDKRB5=no
And this is authconfig --test:
[root@server ~]# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = “”
hesiod RHS = “”
nss_ldap is disabled
LDAP+TLS is disabled
LDAP server = “”
LDAP base DN = “”
nss_nis is disabled
NIS server = “”
NIS domain = “”
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = “DOMAIN”
SMB servers = “nsdc-server.ad.domain.ext”
SMB security = “ADS”
SMB realm = “AD.DOMAIN.EXT”
Winbind template shell = “/bin/false”
SMB idmap range = “16777216-33554431”
nss_sss is enabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
myhostname is enabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is sha512
pam_krb5 is disabled
krb5 realm = “AD.DOMAIN.EXT”
krb5 realm via dns is enabled
krb5 kdc = “”
krb5 kdc via dns is enabled
krb5 admin server = “”
pam_ldap is disabled
LDAP+TLS is disabled
LDAP server = “”
LDAP base DN = “”
LDAP schema = “rfc2307”
pam_pkcs11 is disabled
SSSD smartcard support is disabled
use only smartcard for login is disabled
smartcard module = “”
smartcard removal action = “”
pam_fprintd is disabled
pam_ecryptfs is disabled
pam_winbind is disabled
SMB workgroup = “DOMAIN”
SMB servers = “nsdc-server.ad.domain.ext”
SMB security = “ADS”
SMB realm = “AD.DOMAIN.EXT”
pam_sss is disabled by default
credential caching in SSSD is enabled
SSSD use instead of legacy services if possible is enabled
IPAv2 is disabled
IPAv2 domain was not joined
IPAv2 server = “”
IPAv2 realm = “”
IPAv2 domain = “”
pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_faillock is disabled (deny=4 unlock_time=1200)
pam_mkhomedir or pam_oddjob_mkhomedir is disabled (umask=0077)
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
Mine is different. Here’re the differences:
--- authconfig.enrico 2018-10-29 18:23:30.071261853 +0100
+++ /etc/sysconfig/authconfig 2017-05-05 13:07:11.230456112 +0200
@@ -1,5 +1,4 @@
CACHECREDENTIALS=yes
-FAILLOCKARGS=“deny=4 unlock_time=1200”
FORCELEGACY=no
FORCESMARTCARD=no
IPADOMAINJOINED=no
@@ -7,7 +6,6 @@
PASSWDALGORITHM=sha512
USEDB=no
USEECRYPTFS=no
-USEFAILLOCK=no
USEFPRINTD=no
USEHESIOD=no
USEIPAV2=no
@@ -15,7 +13,7 @@
USELDAP=no
USELDAPAUTH=no
USELOCAUTHORIZE=yes
-USEMKHOMEDIR=no
+USEMKHOMEDIR=yes
USENIS=no
USEPAMACCESS=no
USEPASSWDQC=no
@@ -23,7 +21,7 @@
USESHADOW=yes
USESMARTCARD=no
USESSSD=yes
-USESSSDAUTH=no
+USESSSDAUTH=yes
USESYSNETAUTH=no
USEWINBIND=no
USEWINBINDAUTH=no
You can create a backup of current authconfig settings with authconfig --savebackup. See man authconfig for details.
Please check if you have any other backup:
find /var/lib/authconfig
Once you prepared the backup we can try to apply a new configuration.
I’m ready. No other backup of authconfig was present.
[root@server ~]# authconfig --savebackup 29ottobre
[root@server ~]# ls /var/lib/authconfig/backup-29ottobre/
authconfig krb5.conf openldap.conf shadow
cacheenabled.conf libuser.conf passwd smartcard-auth-ac
fingerprint-auth-ac login.defs password-auth-ac smb.conf
group network postlogin-ac sssd.conf
gshadow nsswitch.conf pwquality.conf system-auth-ac
1 Like
Now how should I proceed?