1

We have an issue on some of our AWS machines, running Amazon's hacked Fedora/RHEL linux where newer-in-AD users can login with password but cannot autheticate for sudo. Users that were created in AD a while ago have no issues and this does not seem to follow a pattern on servers (for eg. we created 3 servers at once from the same ami, 2 work, one fails). The errors in the logs are of this format, starting with sucessful login via password:

Jan 18 18:35:37 HOSTNAME sshd[24496]: pam_krb5[24496]: authentication succeeds for 'USERNAME' (USERNAME@AD.DOMAIN)

Jan 18 18:35:37 HOSTNAME sshd[24496]: Accepted password for USERNAME from local_ip port 45236 ssh2

Jan 18 18:35:37 HOSTNAME sshd[24496]: pam_unix(sshd:session): session opened for user USERNAME by (uid=0)

Jan 18 18:35:43 HOSTNAME sudo: pam_unix(sudo:auth): authentication failure; logname=USERNAME uid=10764 euid=0 tty=/dev/pts/2 ruser=USERNAME rhost= user=USERNAME

Jan 18 18:35:43 HOSTNAME sudo: pam_krb5[24526]: account checks fail for 'USERNAME@AD.DOMAIN': user disallowed by .k5login file for 'USERNAME

Jan 18 18:35:43 HOSTNAME sudo: pam_krb5[24526]: authentication fails for 'USERNAME' (USERNAME@AD.DOMAIN): Permission denied (Success)

I've double checked that the user didn't have a .k5login file, there was none, and adding one with only 'USERNAME@AD.DOMAIN' didn't change the behavior or the log messages. I've also verified, as best as I can, that these new users aren't somehow different in AD, but I'm far from an expert there so there may be something else to check there if I knew where to look

thanks

Community
  • 1
amacks
  • 9
  • 2

1 Answers1

0

In /etc/krb5.conf add this lines:

[appdefaults]  
pam = {  
       [....]  
        EXAMPLE.COM = {  
            ignore_k5login = true  
        }
}

where EXAMPLE.COM is your AD realm.

Jakuje
  • 9,145
  • 2
  • 40
  • 44
smopi
  • 1