We have several EC-2 instances in an IPA domain with a trust relationship to our Active Directory Domain. On older instances ssh doesn't require the domain suffix from a Windows machine. But on newer instances the username is invalid and only works with the domain added manually. Or if the username was cached when logging into one of the older instances via SSH. The problem is that the sssd.conf and sshd_conf files are identical on both instances and so is the sssd version. Also using the same IPA master. There is no information in the sssd logs about the domain suffix either, even at log level 9. The secure log just includes the following:
sshd[20356]: Invalid user jgrosse from ip port 1593
sshd[20356]: input_userauth_request: invalid user jgrosse [preauth]
sshd[20356]: Postponed keyboard-interactive for invalid user jgrosse from ip port 1593 ssh2 [preauth]
sshd[20366]: pam_unix(sshd:auth): check pass; user unknown
sshd[20366]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host-ip
sshd[20356]: error: PAM: User not known to the underlying authentication module for illegal user jgrosse from host-ip
sshd[20356]: Failed keyboard-interactive/pam for invalid user jgrosse from ip port 1593 ssh2
sshd[20356]: Postponed keyboard-interactive for invalid user jgrosse from ip port 1593 ssh2 [preauth]
sshd[20356]: Connection closed by ip port 1593 [preauth]
And the sssd config file:
[domain/ipa-domain]
krb5_auth_timeout = 60
debug_level = 3
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa-domain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = host.ipa-domain
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ipamaster1.ipa-domain
dyndns_iface = eth0
ldap_tls_cacert = /etc/ipa/ca.crt
realmd_tags = manages-system
default_shell = /bin/bash
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
[sssd]
default_domain_suffix = ad-domain
debug_level = 9
services = nss, sudo, pam, ssh
domains = ipa-domain
[nss]
filter_users = ec2-user,adm,postdrop,postfix,avahi,bin,daemon,dbus,haldaemon,halt,ldap,mail,named,news,nfsnobody,nobody,nscd,nslcd,ntp,operator,radiusd,root,rpc,rpcuser,saslauth,shutdown,smmsp,sshd,sync,tcpdump,vcsa
filter_groups = ec2-user,slocate,adm,audio,bin,cdrom,cgred,daemon,dbus,dialout,dip,disk,floppy,fuse,kmem,ldap,lock,lp,mail,man,mem,nfsnobody,nobody,nscd,ntp,root,rpc,rpcuser,saslauth,smmsp,sshd,sys,tape,tcpdump,tty,users,utempter,utmp,vcsa,video
homedir_substring = /home
[pam]
pam_id_timeout=60
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
I've run out of places to look for a difference in configuration.
