• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Active Directory Users Unable to Login via SSH using SSSD and Getting “Permission Denied, Please Try Again” [CentOS/RHEL]

By admin

Active Directory Users Unable to Login via SSH using SSSD and Getting “Permission Denied, Please Try Again” [CentOS/RHEL]

The Problem

1. Integration of a Linux node with Active Directory for authentication fails with error ‘Permission denied, please try again’ while connecting using ssh:

# ssh [hostname] -l [username]@[DOMAINNAME].com
The authenticity of host '[hostname] ([IP ADDRESS])' can't be established.
RSA key fingerprint is 4f:3b:ba:b2:b7:6e:d0:b7:dd:a6:4b:32:ac:e3:58:63.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[hostname],[IP ADDRESS]' (RSA) to the list of known hosts.
[username]@.com@[hostname]'s password:
Permission denied, please try again.
[username]@.com@[hostname]'s password:

2. Verified the username and password are correct:

$ su - [username]
# su - [username]@[DOMAINNAME].com

3. The authentication failures can be observed in the /var/log/secure history:

Apr 3 23:20:24 [hostname] sshd[323944]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ittwhxh1n62.na.admworld.com user=[username]
Apr 3 23:20:24 [hostname] sshd[323944]: pam_tally2(sshd:auth): user [username] (1494516080) tally 11, deny 5 <<<<<<<<<<<<<
Apr 3 23:20:26 [hostname] sshd[323944]: Failed password for [username] from [IP ADDRESS] port 51803 ssh2
Apr 3 23:20:34 [hostname] sshd[323944]: pam_tally2(sshd:auth): user [username] (1494516080) tally 12, deny 5 <<<<<<<<<<<<<
Apr 3 23:20:37 [hostname] sshd[323944]: Failed password for [username] from [IP ADDRESS] port 51803 ssh2
Apr 3 23:20:40 [hostname] sshd[323944]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ittwhxh1n62.na.admworld.com user=[username]
Apr 3 23:24:37 [hostname] sshd[338364]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ittwhxh1n62.na.admworld.com user=[username]
Apr 3 23:24:37 [hostname] sshd[338364]: pam_tally2(sshd:auth): user [username] (1494516080) tally 13, deny 5 <<<<<<<<<<<<<
Apr 3 23:24:39 [hostname] sshd[338364]: Failed password for [username] from [IP ADDRESS] port 51893 ssh2

Root Cause

Issue with one or more configuration files: system-auth-ac and password-auth-ac, sssd module were commented in configuration file below:

$ grep sss /etc/pam.d/system-auth-ac 
# auth sufficient pam_sss.so use_first_pass
# account [default=bad success=ok user_unknown=ignore] pam_sss.so
# password sufficient pam_sss.so use_authtok
# session optional pam_sss.so
$  grep sss /etc/pam.d/password-auth-ac 
# auth sufficient pam_sss.so use_first_pass
# account [default=bad success=ok user_unknown=ignore] pam_sss.so
# password sufficient pam_sss.so use_authtok
# session optional pam_sss.so

The pam_tally2 module conflicts with sssd modules:

$ cat etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
##auth required pam_tally2.so deny=5 onerr=fail serialize >>>>
#auth required pam_tally2.so deny=5 onerr=fail lock_time=600 serialize
# EXADATA ACCESS CONTROL via /etc/exadata/security/exadata-access.conf
account required pam_nologin.so
account include password-auth
account required pam_tally2.so
password include password-auth
pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session required pam_limits.so
# cat /etc/pam.d/login
auth required pam_tally2.so deny=5 onerr=fail serialize
# cat/etc/pam.d/login
account required pam_tally2.so

The Solution

Note: Take care to remove any backup files under /pam.d/ directory.

1. Comment pam_tally2 lines in all the authenticate files under the /etc/pam.d/* directory.

2. Comment out the line mentioned in cause sections, [Enable sssd modules] as below.

$ grep sss /etc/pam.d/system-auth-ac 
auth sufficient pam_sss.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_sss.so
password sufficient pam_sss.so use_authtok
session optional pam_sss.so 
$ grep sss /etc/pam.d/password-auth-ac
auth sufficient pam_sss.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_sss.so
password sufficient pam_sss.so use_authtok
session optional pam_sss.so

Filed Under: CentOS/RHEL 5, CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. How to Set a Custom Interface Name with NetworkManager in CentOS/RHEL 7
  2. Audit Log And Messages File Not Rotating on CentOS/RHEL
  3. Beginners Guide to DHCP – Install and configure DHCP server and client
  4. Kernel Logs Warning Messages “kernel: Possible SYN flooding on port X. Sending cookies” is logged”
  5. How to extend ASM disk from OS level in CentOS/RHEL
  6. CentOS / RHEL 7 : How to set udev rules for ASM on multipath disks
  7. How to use strace and ltrace commands in Linux
  8. How to Recover from a Corrupted or empty /etc/mtab file in CentOS/RHEL 7
  9. How to Enable/Disable CPUs (Limiting CPU count) in CentOS / RHEL
  10. How to enable/disable SELinux Modes in RHEL/CentOS

You May Also Like

Primary Sidebar

Recent Posts

  • What are different Oracle Database Vault Roles
  • Unable to export realm protected table using data pump
  • Beginners Guide to Oracle Database Vault
  • How to Disable IPv6 on Ubuntu 18.04 Bionic Beaver Linux
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary