Pam_sss (nx:account): Access denied for user

Forum / NoMachine for Windows / Pam_sss (nx:account): Access denied for user

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #13783
    basmati
    Participant

    Hi, I’m having trouble to login to an Ubuntu machine using a NoMachine client. I use the nx protocol. Otherwise login via ssh to the Ubuntu machine works. I’m able to su to other users as well.

    NX Server runs with user and group nx: uid=124(nx) gid=1001(nx) groups=1001(nx)

    In the auth log I find the entries that correspond to my problem:

    /var/log/auth.log:Feb 14 19:09:03 LS99971Y nxexec: pam_sss(nx:auth): authentication success; logname=USER uid=201162 euid=0 tty= ruser= rhost= user=user

    /var/log/auth.log:Feb 14 19:09:03 LS99971Y nxexec: pam_sss(nx:account): Access denied for user USER: 6 (Permission denied)

    /etc/pam.d/nx has the following entries:

    auth       include       su

    account    include       su

    password   include       su

    session    include       su

    /etc/pam.d/su looks like:

    cat su|grep -vE “#|^$”

    auth       sufficient pam_rootok.so

    session       required   pam_env.so readenv=1

    session       required   pam_env.so readenv=1 envfile=/etc/default/locale

    session    optional   pam_mail.so nopen

    session    required   pam_limits.so

    @include common-auth

    @include common-account

    @include common-session

    content of common-auth:

    cat common-auth|grep -vE “#|^$”

    auth    [success=2 default=ignore]      pam_unix.so nullok_secure

    auth    [success=1 default=ignore]      pam_sss.so use_first_pass

    auth    requisite                       pam_deny.so

    auth    required                        pam_permit.so

    cat common-account|grep -vE “#|^$”

    account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so

    account requisite                       pam_deny.so

    account required                        pam_permit.so

    account sufficient                      pam_localuser.so

    account [default=bad success=ok user_unknown=ignore]    pam_sss.so

    content of common-session:

    cat common-session|grep -vE “#|^$”

    session [default=1]                     pam_permit.so

    session requisite                       pam_deny.so

    session required                        pam_permit.so

    session optional                        pam_umask.so

    session required        pam_unix.so

    session required        pam_mkhomedir.so skel=/etc/skel/ umask=0027

    session optional                        pam_sss.so

    session optional        pam_systemd.so

    The system is using sssd to authenticate against an Active Directory.

    Any idea what goes wrong ? Authentication seems to work, but the actual login is failing.

     

    #13809
    Cato
    Participant

    Hello basmati,

    As you noted, authentication succeeds, login fails at account validation. If you are authenticating against Active Directory it’s worth checking security settings on Domain Controller. Perhaps user or one of groups to which user belongs is denied logon to host.

    You can also try to replace content of /etc/pam.d/nx with content of /etc/pam.d/sshd. It appears to me that sshd PAM configuration might not include pam_sss in account stack. If this is the case, be aware that some account management functionalities, like password reset, won’t be present any more.

Viewing 2 posts - 1 through 2 (of 2 total)

This topic was marked as solved, you can't post.