We have an issue on some of our AWS machines, running Amazon's hacked Fedora/RHEL linux where newer-in-AD users can login with password but cannot autheticate for sudo. Users that were created in AD a while ago have no issues and this does not seem to follow a pattern on servers (for eg. we created 3 servers at once from the same ami, 2 work, one fails). The errors in the logs are of this format, starting with sucessful login via password:
Jan 18 18:35:37 HOSTNAME sshd[24496]: pam_krb5[24496]: authentication succeeds for 'USERNAME' (USERNAME@AD.DOMAIN)
Jan 18 18:35:37 HOSTNAME sshd[24496]: Accepted password for USERNAME from local_ip port 45236 ssh2
Jan 18 18:35:37 HOSTNAME sshd[24496]: pam_unix(sshd:session): session opened for user USERNAME by (uid=0)
Jan 18 18:35:43 HOSTNAME sudo: pam_unix(sudo:auth): authentication failure; logname=USERNAME uid=10764 euid=0 tty=/dev/pts/2 ruser=USERNAME rhost= user=USERNAME
Jan 18 18:35:43 HOSTNAME sudo: pam_krb5[24526]: account checks fail for 'USERNAME@AD.DOMAIN': user disallowed by .k5login file for 'USERNAME
Jan 18 18:35:43 HOSTNAME sudo: pam_krb5[24526]: authentication fails for 'USERNAME' (USERNAME@AD.DOMAIN): Permission denied (Success)
I've double checked that the user didn't have a .k5login file, there was none, and adding one with only 'USERNAME@AD.DOMAIN' didn't change the behavior or the log messages. I've also verified, as best as I can, that these new users aren't somehow different in AD, but I'm far from an expert there so there may be something else to check there if I knew where to look
thanks
Best Answer
In
/etc/krb5.conf
add this lines:where
EXAMPLE.COM
is your AD realm.