The Problem
The CentOS/RHEL 7.3 system was successfully configured to join an Active Directory domain. A user on the OL system cannot login and the following entries are found in the /var/log/messages system log:
2017-06-28T11:28:41.404719-04:00 adclient sshd[10352]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X user=test1 2017-06-28T11:28:41.573420-04:00 adclient sshd[10352]: pam_krb5[10352]: account checks fail for 'test1@EXAMPLE.COM': user disallowed by .k5login file for 'test1'
The solution
The first line in the above /var/log/messages output indicates the Linux client has connected with the AD server, using the test1 user credentials. The second line reports that the account usage is blocked locally by the pam_krb5 PAM (Pluggable Authentication Modules) checking. This module is controlled by the $(HOME)/.k5login file.
Remedy
The preferred solution is to add the server principals into the per-user ${HOME}/.k5login file. Consult the K5LOGIN man page for additional information about adding items to this file.
Workaround
If you would prefer not to use the access control list (ACL) feature, these steps will disable the feature system-wide:
1. Be sure to make a backup of /etc/krb5.conf before making any changes.
2. Add the following lines to the file /etc/krb5.conf:
# vi /etc/krb5.conf
[appdefaults]
pam = {
debug = false
TEST.ORACLE.COM = {
ignore_k5login = true
}
}
3. Save the file.