After patching a CentOS 7 server with the latest rpms, ssh would not authenticate with Active Directory.
To debug,
1. Become root on the Unix server.
sudo su -
2. Stop the sshd service (Note: this will not kill your current session)
systemctl stop sshd
3. Start sshd in debug mode. The debug output will print on the terminal
/sbin/sshd -d
4. From another terminal, ssh into the server
ssh username@server
5. The sshd debug messages showed that the username could not get authenticated with AD. The first place to look is sssd (System Security Services Daemon)
6. Restart sssd. Got an error message stating sssd failed to start
systemctl restart sssd
7. First view the sssd error log status. The logs did not provide much debug info
systemctl -l status sssd
8. Start sssd in debug mode. The debug output will print on the terminal
sssd -i -d 4
9. The error message in this case was "PAM unable to dlopen /usr/lib/samba/libreplace-samba4.so: version 'SAMBA_4.4.4 not found"
10. Checked the version of the samba-client. This showed that yum update installed both samba-client 4.4.4 and 4.6.2
yum --showduplicates list samba-client
11. Reinstalled samba-client to only have one version
yum remove samba-client
yum install samba-client
12. sssd now success starts and users can AS authenticate on ssh
systemctl start sssd
systemctl start sshd
No comments:
Post a Comment