Hi I am trying to setup SSSD to authenticate to AD on RHEL.
I able able to login with my AD user and password and see my groups when I run id. But when I try to use sudo, it just keeps prompting for my password (Sorry, please try again). Any ideas why? I know it is not the sudoers file because when I run sudo -U myUser -l I see (root) ALL But I can su to root no problem, and I don't get prompted for a password.
My assumption is it has something to do with PAM.
pam.d/system-auth-ac
auth required pam_env.so auth sufficient pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_krb5.so pam.d/password-auth-ac
auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so sssd.conf
[sssd] config_file_version = 2 domains = myDomain services = nss, pam, pac [domain/myDomain] id_provider = ad access_provider = ad ad_server = adSer2.ca,adSer1.ca ad_access_filter = memberOf=CN=IT - Shared Services,OU=Infrastructure,OU=CompanyGrps,DC=company,DC=ca default_shell = /bin/bash fallback_homedir = /home/%u ignore_group_members = true debug_level = 1 [nss] [pam] debug_level = 1 pam_verbosity = 3 [pac] nsswitch.conf
passwd: files sss ldap shadow: files sss ldap group: files sss ldap #initgroups: files #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss ldap publickey: nisplus automount: files sss ldap aliases: files nisplus sudoers
root ALL=(ALL) ALL %it\ -\ shared\ services ALL = (root) ALL Update
I got it to work by removing kerberos from the PAM configuration, but I am not sure by doing this if I have introduced a security risk.
