Forum / NoMachine for Windows / Pam_sss (nx:account): Access denied for user
- This topic has 1 reply, 2 voices, and was last updated 7 years, 10 months ago by Cato.
-
AuthorPosts
-
February 15, 2017 at 09:53 #13783basmatiParticipant
Hi, I’m having trouble to login to an Ubuntu machine using a NoMachine client. I use the nx protocol. Otherwise login via ssh to the Ubuntu machine works. I’m able to su to other users as well.
NX Server runs with user and group nx: uid=124(nx) gid=1001(nx) groups=1001(nx)
In the auth log I find the entries that correspond to my problem:
/var/log/auth.log:Feb 14 19:09:03 LS99971Y nxexec: pam_sss(nx:auth): authentication success; logname=USER uid=201162 euid=0 tty= ruser= rhost= user=user
/var/log/auth.log:Feb 14 19:09:03 LS99971Y nxexec: pam_sss(nx:account): Access denied for user USER: 6 (Permission denied)
/etc/pam.d/nx has the following entries:
auth include su
account include su
password include su
session include su
/etc/pam.d/su looks like:
cat su|grep -vE “#|^$”
auth sufficient pam_rootok.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
session optional pam_mail.so nopen
session required pam_limits.so
@include common-auth
@include common-account
@include common-session
content of common-auth:
cat common-auth|grep -vE “#|^$”
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
cat common-account|grep -vE “#|^$”
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
content of common-session:
cat common-session|grep -vE “#|^$”
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0027
session optional pam_sss.so
session optional pam_systemd.so
The system is using sssd to authenticate against an Active Directory.
Any idea what goes wrong ? Authentication seems to work, but the actual login is failing.
February 20, 2017 at 08:25 #13809CatoParticipantHello basmati,
As you noted, authentication succeeds, login fails at account validation. If you are authenticating against Active Directory it’s worth checking security settings on Domain Controller. Perhaps user or one of groups to which user belongs is denied logon to host.
You can also try to replace content of /etc/pam.d/nx with content of /etc/pam.d/sshd. It appears to me that sshd PAM configuration might not include pam_sss in account stack. If this is the case, be aware that some account management functionalities, like password reset, won’t be present any more.
-
AuthorPosts
This topic was marked as solved, you can't post.