Oracle Linux: SSSD Fails To Authenticate to Active Directory (Doc ID 2679738.1)

Last updated on MARCH 13, 2023

Applies to:

Linux OS - Version Oracle Linux 6.10 and later
Information in this document applies to any platform.

Symptoms

SSH login using AD users fails with "Access Denied" or "Permission denied"

krb5_child log report the following errors:

[[sssd[krb5_child[81107]]]] [sss_child_krb5_trace_cb] (0x4000): [81107] 1591620896.531693: Retrieving user@DOMAIN-> restrictedkrbhost/user@DOMAIN from MEMORY:rd_req2 with result: 0/Success
[[sssd[krb5_child[81107]]]] [sss_child_krb5_trace_cb] (0x4000): [81107] 1591620896.531735: Retrieving restrictedkrbhost/user@DOMAIN from MEMORY:/etc/krb5.keytab (enctype aes256-cts) with result: 0/Success
[[sssd[krb5_child[81107]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].
[[sssd[krb5_child[81107]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [user@DOMAIN] might not be correct.
[[sssd[krb5_child[81107]]]] [sss_child_krb5_trace_cb] (0x4000): [81107] 1591620896.531802: Destroying ccache MEMORY:rd_req2
[[sssd[krb5_child[81107]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_1003945_XXXXXX] 
[[sssd[krb5_child[81107]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal user@DOMAIN in cache collection]
[[sssd[krb5_child[81107]]]] [create_ccache] (0x0020): 733: [13][Permission denied] 
[[sssd[krb5_child[81107]]]] [map_krb5_error] (0x0020): 1301: [1432158209][Unknown code UUz 1]
[[sssd[krb5_child[81107]]]] [k5c_send_data] (0x0200): Received error code 1432158209
[[sssd[krb5_child[81107]]]] [pack_response_packet] (0x2000): response packet size: [20]

Messages log report the following:

 ssd[pam]: Starting up
[sssd[krb5_child[78915]]]: Permission denied
[sssd[krb5_child[78915]]]: Unknown code UUz 1
[sssd[krb5_child[78999]]]: Permission denied
[sssd[krb5_child[78999]]]: Unknown code UUz 1
[sssd[krb5_child[79069]]]: Unknown code UUz 1
[sssd[krb5_child[79084]]]: Preauthentication failed
[sssd[krb5_child[79116]]]: Permission denied
[sssd[krb5_child[79116]]]: Unknown code UUz 1 sssd[pam]: Shutting down

Secure logs report the following:

sshd[79052]: pam_sss(sshd:auth): received for user user1: 4 (System error)
sshd[79052]: Failed password for user1 from X.X.X.X port 52515 ssh2
sshd[79052]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=domain user=user1
sshd[79052]: pam_sss(sshd:auth): received for user user1: 17 (Failure setting user credentials)

Changes

The server was recently migrated from winbind to sssd.

Cause

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

Oracle Linux: SSSD Fails To Authenticate to Active Directory (Doc ID 2679738.1)

Applies to:

Symptoms

Changes

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!