Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Restricted login list - couldn't resolve srvDomainUsers [40071]
- Dec 30 08:56:47 srv3 login[1713]: PAM (login) illegal module type: sessions
- Dec 30 08:56:47 srv3 login[1713]: PAM (other) illegal module type: sessions
- Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]User user12 is denied access because they are not in the 'require membership of' list
- Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:user12][error code:40158]
- Dec 30 08:56:50 srv3 login[1713]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=user12
- Dec 30 08:56:50 srv3 login[1713]: pam_sss(login:auth): Request to sssd failed. Connection refused
- Dec 30 08:56:53 srv3 login[1713]: FAILED LOGIN (1) on '/dev/tty1' FOR 'user12', Authentication failure
- root@srv3:~# /opt/pbis/bin/config --dump
- AllowDeleteTo ""
- AllowReadTo ""
- AllowWriteTo ""
- MaxDiskUsage 104857600
- MaxEventLifespan 90
- MaxNumEvents 100000
- DomainSeparator "\"
- SpaceReplacement "^"
- EnableEventlog false
- SaslMaxBufSize 16777215
- Providers "ActiveDirectory"
- DisplayMotd false
- PAMLogLevel "verbose"
- UserNotAllowedError "Access denied"
- AssumeDefaultDomain true
- CreateHomeDir true
- CreateK5Login true
- SyncSystemTime true
- TrimUserMembership true
- LdapSignAndSeal false
- LogADNetworkConnectionEvents true
- NssEnumerationEnabled true
- NssGroupMembersQueryCacheOnly true
- NssUserMembershipQueryCacheOnly false
- RefreshUserCredentials true
- CacheEntryExpiry 14400
- DomainManagerCheckDomainOnlineInterval 300
- DomainManagerUnknownDomainCacheTimeout 3600
- MachinePasswordLifespan 2592000
- MemoryCacheSizeCap 0
- HomeDirPrefix "/home"
- HomeDirTemplate "%H/%U"
- RemoteHomeDirTemplate ""
- HomeDirUmask "022"
- LoginShellTemplate "/bin/bash"
- SkeletonDirs "/etc/skel"
- UserDomainPrefix "srv"
- DomainManagerIgnoreAllTrusts false
- DomainManagerIncludeTrustsList
- DomainManagerExcludeTrustsList
- RequireMembershipOf "srv\DomainUsers"
- Local_AcceptNTLMv1 true
- Local_HomeDirTemplate "%H/local/%D/%U"
- Local_HomeDirUmask "022"
- Local_LoginShellTemplate "/bin/sh"
- Local_SkeletonDirs "/etc/skel"
- UserMonitorCheckInterval 1800
- LsassAutostart true
- EventlogAutostart true
- BlacklistDC
- LSA Server Status:
- Compiled daemon version: 8.5.2.265
- Packaged product version: 8.5.265.1
- Uptime: 0 days 0 hours 14 minutes 5 seconds
- [Authentication provider: lsa-activedirectory-provider]
- Status: Online
- Mode: Un-provisioned
- Domain: SRV.LOCAL
- Domain SID: S-1-5-21-2727847642-148432537-1030246457
- Forest: srv.local
- Site: Default-First-Site-Name
- Online check interval: 300 seconds
- [Trusted Domains: 1]
- [Domain: SRV]
- DNS Domain: srv.local
- Netbios name: SRV
- Forest name: srv.local
- Trustee DNS name:
- Client site name: Default-First-Site-Name
- Domain SID: S-1-5-21-2727847642-148432537-1030246457
- Domain GUID: 8ac2ba85-7313-6746-abfe-d44f9856708e
- Trust Flags: [0x001d]
- [0x0001 - In forest]
- [0x0004 - Tree root]
- [0x0008 - Primary]
- [0x0010 - Native]
- Trust type: Up Level
- Trust Attributes: [0x0000]
- Trust Direction: Primary Domain
- Trust Mode: In my forest Trust (MFT)
- Domain flags: [0x0001]
- [0x0001 - Primary]
- [Domain Controller (DC) Information]
- DC Name: dc1.srv.local
- DC Address: 192.168.253.200
- DC Site: Default-First-Site-Name
- DC Flags: [0x0000f1fd]
- DC Is PDC: yes
- DC is time server: yes
- DC has writeable DS: yes
- DC is Global Catalog: yes
- DC is running KDC: yes
- [Global Catalog (GC) Information]
- GC Name: dc1.srv.local
- GC Address: 192.168.253.200
- GC Site: Default-First-Site-Name
- GC Flags: [0x0000f1fd]
- GC Is PDC: yes
- GC is time server: yes
- GC has writeable DS: yes
- GC is running KDC: yes
- Name: PowerBroker Identity Services (PBIS)
- Default: yes
- Priority: 260
- Conflicts: winbind
- Auth-Type: Primary
- Auth:
- [success=end default=ignore] pam_lsass.so try_first_pass
- Auth-Initial:
- [success=end default=ignore] pam_lsass.so
- Account-Type: Primary
- Account:
- [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
- [success=end new_authtok_reqd=done default=ignore] pam_lsass.so
- Session-Type: Additional
- Session:
- optional pam_lsass.so
- Password-Type: Primary
- Password:
- [success=end default=ignore] pam_lsass.so use_authtok try_first_pass
- Password-Initial:
- [success=end default=ignore] pam_lsass.so
- #
- # /etc/pam.d/common-account - authorization settings common to all services
- #
- # This file is included from other service-specific PAM config files,
- # and should contain a list of the authorization modules that define
- # the central access policy for use on the system. The default is to
- # only deny service to users whose accounts are expired in /etc/shadow.
- #
- # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
- # To take advantage of this, it is recommended that you configure any
- # local modules either before or after the default block, and use
- # pam-auth-update to manage selection of other modules. See
- # pam-auth-update(8) for details.
- #
- # here are the per-package modules (the "Primary" block)
- account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
- account [success=2 new_authtok_reqd=done default=ignore] pam_lsass.so
- account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
- # here's the fallback if no module succeeds
- account requisite pam_deny.so
- # prime the stack with a positive return value if there isn't one already;
- # this avoids us returning an error just because nothing sets a success code
- # since the modules above will each just jump around
- account required pam_permit.so
- # and here are more per-package modules (the "Additional" block)
- account sufficient pam_localuser.so
- account [default=bad success=ok user_unknown=ignore] pam_sss.so
- # end of pam-auth-update config
- #
- # /etc/pam.d/common-session - session-related modules common to all services
- #
- # This file is included from other service-specific PAM config files,
- # and should contain a list of modules that define tasks to be performed
- # at the start and end of sessions of *any* kind (both interactive and
- # non-interactive).
- #
- # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
- # To take advantage of this, it is recommended that you configure any
- # local modules either before or after the default block, and use
- # pam-auth-update to manage selection of other modules. See
- # pam-auth-update(8) for details.
- # here are the per-package modules (the "Primary" block)
- session [default=1] pam_permit.so
- # here's the fallback if no module succeeds
- session requisite pam_deny.so
- # prime the stack with a positive return value if there isn't one already;
- # this avoids us returning an error just because nothing sets a success code
- # since the modules above will each just jump around
- session required pam_permit.so
- # The pam_umask module will set the umask according to the system default in
- # /etc/login.defs and user settings, solving the problem of different
- # umask settings with different shells, display managers, remote sessions etc.
- # See "man pam_umask".
- session optional pam_umask.so
- # and here are more per-package modules (the "Additional" block)
- #session optional pam_lsass.so
- sessions [success=ok default=ignore] pam_lsass.so
- session required pam_unix.so
- session optional pam_sss.so
- session optional pam_systemd.so
- # end of pam-auth-update config
- session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
- #
- # /etc/pam.d/common-auth - authentication settings common to all services
- #
- # This file is included from other service-specific PAM config files,
- # and should contain a list of the authentication modules that define
- # the central authentication scheme for use on the system
- # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
- # traditional Unix authentication mechanisms.
- #
- # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
- # To take advantage of this, it is recommended that you configure any
- # local modules either before or after the default block, and use
- # pam-auth-update to manage selection of other modules. See
- # pam-auth-update(8) for details.
- # here are the per-package modules (the "Primary" block)
- auth [success=3 default=ignore] pam_lsass.so
- auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
- auth [success=1 default=ignore] pam_sss.so use_first_pass
- # here's the fallback if no module succeeds
- auth requisite pam_deny.so
- # prime the stack with a positive return value if there isn't one already;
- # this avoids us returning an error just because nothing sets a success code
- # since the modules above will each just jump around
- auth required pam_permit.so
- # and here are more per-package modules (the "Additional" block)
- # end of pam-auth-update config
- ~
- ~
- [libdefaults]
- default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
- default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
- preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
- dns_lookup_kdc = true
- pkinit_kdc_hostname = <DNS>
- pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
- pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
- pkinit_eku_checking = kpServerAuth
- pkinit_win2k_require_binding = false
- pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
