Pam_sss (nx:account): Access denied for user

Forum / NoMachine for Windows / Pam_sss (nx:account): Access denied for user

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
  • #13783

    Hi, I’m having trouble to login to an Ubuntu machine using a NoMachine client. I use the nx protocol. Otherwise login via ssh to the Ubuntu machine works. I’m able to su to other users as well.

    NX Server runs with user and group nx: uid=124(nx) gid=1001(nx) groups=1001(nx)

    In the auth log I find the entries that correspond to my problem:

    /var/log/auth.log:Feb 14 19:09:03 LS99971Y nxexec: pam_sss(nx:auth): authentication success; logname=USER uid=201162 euid=0 tty= ruser= rhost= user=user

    /var/log/auth.log:Feb 14 19:09:03 LS99971Y nxexec: pam_sss(nx:account): Access denied for user USER: 6 (Permission denied)

    /etc/pam.d/nx has the following entries:

    auth       include       su

    account    include       su

    password   include       su

    session    include       su

    /etc/pam.d/su looks like:

    cat su|grep -vE “#|^$”

    auth       sufficient

    session       required readenv=1

    session       required readenv=1 envfile=/etc/default/locale

    session    optional nopen

    session    required

    @include common-auth

    @include common-account

    @include common-session

    content of common-auth:

    cat common-auth|grep -vE “#|^$”

    auth    [success=2 default=ignore] nullok_secure

    auth    [success=1 default=ignore] use_first_pass

    auth    requisite             

    auth    required              

    cat common-account|grep -vE “#|^$”

    account [success=1 new_authtok_reqd=done default=ignore]

    account requisite             

    account required              

    account sufficient            

    account [default=bad success=ok user_unknown=ignore]

    content of common-session:

    cat common-session|grep -vE “#|^$”

    session [default=1]           

    session requisite             

    session required              

    session optional              

    session required

    session required skel=/etc/skel/ umask=0027

    session optional              

    session optional

    The system is using sssd to authenticate against an Active Directory.

    Any idea what goes wrong ? Authentication seems to work, but the actual login is failing.



    Hello basmati,

    As you noted, authentication succeeds, login fails at account validation. If you are authenticating against Active Directory it’s worth checking security settings on Domain Controller. Perhaps user or one of groups to which user belongs is denied logon to host.

    You can also try to replace content of /etc/pam.d/nx with content of /etc/pam.d/sshd. It appears to me that sshd PAM configuration might not include pam_sss in account stack. If this is the case, be aware that some account management functionalities, like password reset, won’t be present any more.

Viewing 2 posts - 1 through 2 (of 2 total)

This topic was marked as solved, you can't post.