Linux-SSSD: always getting incorrect password when su'ing to domain users, but why?

Question

I've built a new Linux environment at my work place. I've configured sssd and bound it to one of the Active Directory domains of the company.

I can tell that the sssd is partially working, let me show you:

I've cleaned the sssd cache on the local machine, restarted sssd and queried for a domain user:

[root@pnd01 ~]# sss_cache -E
[root@pnd01 ~]# service sssd restart
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]
[root@pnd01 ~]# id itai.ganot
uid=10238(itai.ganot) gid=10012(XXXX_ops) groups=10012(XXXX_ops)
[root@pnd01 ~]#

Here's the sssd.conf file:

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = AD


[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
override_shell = /bin/bash


[pam]
reconnection_retries = 3

[domain/AD]
enumerate = true
id_provider = ldap
auth_provider = krb5
ldap_uri = ldap://10.X.X.12 ,ldap://10.X.X.11 
ldap_schema = rfc2307
ldap_default_bind_dn = CN=testuser,CN=Users,DC=eyedcny,DC=local
ldap_default_authtok_type = password
ldap_default_authtok = Aa123456
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_name = sAMAccountName
ldap_group_object_class = group
ldap_force_upper_case_realm = true
ldap_tls_reqcert = never
ldap_account_expire_policy = ad
ldap_search_base = CN=RND Users,DC=eyedcny,DC=local
krb5_server = 10.X.X.12 ,10.X.X.11
krb5_realm = EYEDCNY.LOCAL
krb5_kpassword = default
ldap_referrals = false
case_sensitive = false
[root@pnd01 ~]# 

The problem is that whenever I try to su from one normal user account to another, I get an incorrect password, even though the password is the correct one for sure.

As you can see here, the user is not taken from /etc/passwd but from the sync with AD:

[root@pnd01 ~]# grep itai.ganot /etc/passwd
[root@pnd01 ~]# su - itai.ganot
[itai.ganot@pnd01 ~]$ su - itai.ganot
Password: 
su: incorrect password
[itai.ganot@pnd01 ~]$

Edit #1: Here are the relevant lines from /var/log/secure with the error i'm getting:

Apr 13 14:49:27 pnd02 su: pam_unix(su-l:auth): authentication failure; logname=root uid=10238 euid=0 tty=pts/0 ruser=itai.ganot rhost=  user=itai.ganot
Apr 13 14:49:27 pnd02 su: pam_sss(su-l:auth): authentication failure; logname=root uid=10238 euid=0 tty=pts/0 ruser=itai.ganot rhost= user=itai.ganot
Apr 13 14:49:27 pnd02 su: pam_sss(su-l:auth): received for user itai.ganot: 4 (System error)

Edit #2: Another thing which is worth mentioning:

[root@pnd01 ~]# authconfig --enablesssd --enablesssdauth --enablelocauthorize --update
authconfig: Invalid LDAP URI.
[root@pnd01 ~]#

I'm not sure why I get this error or where does it look for the LDAP URI, because if it's looking on the one configured in /etc/sssd/sssd.conf then the right URI is configured there.

Can you please try to find the reason for this behavior?

Answer 1

I've managed to solve the issue.

There are two things which made it work eventually:

1. Adding to file /etc/sssd/sssd.conf the following directive:

   ldap_user_name = msSFU30Name

2. Setting up a NTP server and making sure that the offset between the sssd clients and the authentication servers doesn't get above 3 seconds.

Answer 2

We really can't tell without logs. Follow https://fedorahosted.org/sssd/wiki/Troubleshooting to gather them.

btw it's much easier to use realmd to configure the hosts. See https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server for the recommended way.