Pam_sss (nx:account): Access denied for user

[basmati]

Hi, I’m having trouble to login to an Ubuntu machine using a NoMachine client. I use the nx protocol. Otherwise login via ssh to the Ubuntu machine works. I’m able to su to other users as well.

NX Server runs with user and group nx: uid=124(nx) gid=1001(nx) groups=1001(nx)

In the auth log I find the entries that correspond to my problem:

/var/log/auth.log:Feb 14 19:09:03 LS99971Y nxexec: pam_sss(nx:auth): authentication success; logname=USER uid=201162 euid=0 tty= ruser= rhost= user=user

/var/log/auth.log:Feb 14 19:09:03 LS99971Y nxexec: pam_sss(nx:account): Access denied for user USER: 6 (Permission denied)

/etc/pam.d/nx has the following entries:

auth       include       su

account    include       su

password   include       su

session    include       su

/etc/pam.d/su looks like:

cat su|grep -vE “#|^$”

auth       sufficient pam_rootok.so

session       required   pam_env.so readenv=1

session       required   pam_env.so readenv=1 envfile=/etc/default/locale

session    optional   pam_mail.so nopen

session    required   pam_limits.so

@include common-auth

@include common-account

@include common-session

content of common-auth:

cat common-auth|grep -vE “#|^$”

auth    [success=2 default=ignore]      pam_unix.so nullok_secure

auth    [success=1 default=ignore]      pam_sss.so use_first_pass

auth    requisite                       pam_deny.so

auth    required                        pam_permit.so

cat common-account|grep -vE “#|^$”

account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so

account requisite                       pam_deny.so

account required                        pam_permit.so

account sufficient                      pam_localuser.so

account [default=bad success=ok user_unknown=ignore]    pam_sss.so

content of common-session:

cat common-session|grep -vE “#|^$”

session [default=1]                     pam_permit.so

session requisite                       pam_deny.so

session required                        pam_permit.so

session optional                        pam_umask.so

session required        pam_unix.so

session required        pam_mkhomedir.so skel=/etc/skel/ umask=0027

session optional                        pam_sss.so

session optional        pam_systemd.so

The system is using sssd to authenticate against an Active Directory.

Any idea what goes wrong ? Authentication seems to work, but the actual login is failing.

 

[Cato]

Hello basmati,

As you noted, authentication succeeds, login fails at account validation. If you are authenticating against Active Directory it’s worth checking security settings on Domain Controller. Perhaps user or one of groups to which user belongs is denied logon to host.

You can also try to replace content of /etc/pam.d/nx with content of /etc/pam.d/sshd. It appears to me that sshd PAM configuration might not include pam_sss in account stack. If this is the case, be aware that some account management functionalities, like password reset, won’t be present any more.

[Author]

Posts