I periodically re-install Fedora on my laptops. Now that I have a fairly stable FreeIPA setup, I’ve been joining my laptops to FreeIPA during installation:

This works great for the first user, i.e. the one that is specified in the installer. However, other users are not able to log in after installation.

To make reading easier, I’ve put firstuser and seconduser as my two users. I’ve also clipped out hostnames and timestamps from journalctl output.

If attempting to log in as one of these other users via ssh, the following messages are logged in the journal:

sshd[928089]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.31.0.50 user=seconduser
sshd[928089]: pam_sss(sshd:account): Access denied for user seconduser: 6 (Permission denied)
sshd[928089]: Failed password for seconduser from 172.31.0.50 port 42840 ssh2
sshd[928089]: fatal: Access denied for user seconduser by PAM account configuration [preauth]

Failed password for seconduser makes this seem like a password issue, but it’s not. An actual bad password looks like this:

krb5_child[979500]: Preauthentication failed
krb5_child[979500]: Preauthentication failed
sshd[979494]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.31.0.50 user=seconduser
sshd[979494]: pam_sss(sshd:auth): received for user seconduser: 7 (Authentication failure)
sshd[979494]: Failed password for seconduser from 172.31.0.50 port 39754 ssh2

The real error, is actually coming from PAM and we can see the difference from my scenario vs the true wrong password. If we look at the first example, the real error is:

pam_sss(sshd:account): Access denied for user seconduser: 6 (Permission denied)

compare to the wrong password scenario, where the error is this:

pam_sss(sshd:auth): received for user seconduser: 7 (Authentication failure)

From this, we can see that a true wrong password fails in the auth modules of PAM (as is expected), but my error happens in the account modules.

So, one of the PAM account modules is denying my user.

Looking at /etc/pam.d/password-auth, which is a symlink to /etc/authselect/password-auth, we see:

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

Don’t really see anything that would allow one user, but deny an other.

pam_sss.so is the module that interfaces with FreeIPA via sssd. It sources it’s configuration in /etc/sssd/sssd.conf, and there we find our culprit:

From sssd.conf:

[domain/mydomain.example.com]
simple_allow_users = $, firstuser

sssd-simple(5), provides very simple user and group allow/deny lists. In this case, if a user is not listed in simple_allow_users, then they are not allowed to login.

What this means is, only firstuser is allowed to log in. Adding seconduser to the list will allow them to log in, and so forth.

This seems like a bug. At the least it’s very unexpected behavior!