I periodically re-install Fedora on my laptops. Now that I have a fairly stable FreeIPA setup, I’ve been joining my laptops to FreeIPA during installation:
This works great for the first user, i.e. the one that is specified in the installer. However, other users are not able to log in after installation.
To make reading easier, I’ve put
seconduser as my
two users. I’ve also clipped out hostnames and timestamps from
If attempting to log in as one of these other users via
following messages are logged in the journal:
sshd: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.31.0.50 user=seconduser sshd: pam_sss(sshd:account): Access denied for user seconduser: 6 (Permission denied) sshd: Failed password for seconduser from 172.31.0.50 port 42840 ssh2 sshd: fatal: Access denied for user seconduser by PAM account configuration [preauth]
Failed password for seconduser makes this seem like a password issue, but
it’s not. An actual bad password looks like this:
krb5_child: Preauthentication failed krb5_child: Preauthentication failed sshd: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.31.0.50 user=seconduser sshd: pam_sss(sshd:auth): received for user seconduser: 7 (Authentication failure) sshd: Failed password for seconduser from 172.31.0.50 port 39754 ssh2
The real error, is actually coming from PAM and we can see the difference from my scenario vs the true wrong password. If we look at the first example, the real error is:
pam_sss(sshd:account): Access denied for user seconduser: 6 (Permission denied)
compare to the wrong password scenario, where the error is this:
pam_sss(sshd:auth): received for user seconduser: 7 (Authentication failure)
From this, we can see that a true wrong password fails in the
modules of PAM (as is expected), but my error happens in the
So, one of the PAM
account modules is denying my user.
/etc/pam.d/password-auth, which is a symlink to
/etc/authselect/password-auth, we see:
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
Don’t really see anything that would allow one user, but deny an other.
pam_sss.so is the module that interfaces with FreeIPA via
It sources it’s configuration in
/etc/sssd/sssd.conf, and there we
find our culprit:
[domain/mydomain.example.com] simple_allow_users = $, firstuser
sssd-simple(5), provides very simple user and group allow/deny
lists. In this case, if a user is not listed in
then they are not allowed to login.
What this means is, only
firstuser is allowed to log in. Adding
seconduser to the list will allow them to log in, and so forth.
This seems like a bug. At the least it’s very unexpected behavior!