Los usuarios de Active Directory no puede acceder, al tratar de iniciar sesión podemos comprobar los siguientes errores en los logs:
sshd[4964]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=rokitoh
sshd[4964]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=rokitoh
sshd[4964]: Failed password for rokitoh from ::1 port 57618 ssh2
sshd[4964]: fatal: Access denied for user rokitoh by PAM account configuration [preauth]Para solventar este error nos vamos a la configuración de sssd y en la sección de domian ( [domain/red-orbita.com]) agregamos la siguiente linea:
ad_gpo_access_control = permissiveLa configuración completa quedaría de la siguiente forma:
cat /etc/sssd/sssd.conf
[sssd]
domains = red-orbita.com
config_file_version = 2
services = nss, pam
[domain/red-orbita.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = RED-ORBITA.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = red-orbita.com
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = simple
simple_allow_groups = sysadminlinux@red-orbita.com
ad_gpo_access_control = permissive:wq!