PowerBroker (PBIS) Restricted login list - couldn't resolve srvDomainUsers [40071]Console user locked out - pam problems?LDAP/NFS/PAM/AutoFS : mkhomedir PAM plugin faillingpasswd for ldap usersLinux (Ubuntu vs CentOS) LDAP Client for 389-ds - password policyHow does changes in /etc/pam.d/common-session-noninteractive affect fail2ban and possibly other programs/services?PBIS Open AD authentication stops working on ubuntu with errors: “user accout has expired” and “is your account locked?”How to configure pam to only mount with winbind authentificationx2go session hangs if logging in using PBIS Open (Likewise Open)Issues with PAM and CRONuser pam.d configuration files to prevent updates overwriting them
History of the Frobenius Endomorphism?
Why is the Advance Variation considered strong vs the Caro-Kann but not vs the Scandinavian?
Why do OOK transmissions have bandwidth?
Getting a similar picture (colours) on Manual Mode while using similar Auto Mode settings (T6 and 40D)
Does the Rogue's Reliable Talent feature work for thieves' tools, since the rogue is proficient in them?
Is there any good reason to write "it is easy to see"?
c++ conditional uni-directional iterator
Why did Varys remove his rings?
Meaning of "legitimate" in Carl Jung's quote "Neurosis is always a substitute for legitimate suffering."
Developers demotivated due to working on same project for more than 2 years
How to describe a building set which is like LEGO without using the "LEGO" word?
Is there any deeper thematic meaning to the white horse that Arya finds in The Bells (S08E05)?
Break long word (not long text!) in longtable cell
Aligning group plot titles horizontally
Promotion comes with unexpected 24/7/365 on-call
Does it matter what way the tires go if no directional arrow?
It is as easy as A B C, Figure out U V C from the given relationship
Wireless headphones interfere with Wi-Fi signal on laptop
Will there be more tax deductions if I put the house completely under my name, versus doing a joint ownership?
Do high-wing aircraft represent more difficult engineering challenges than low-wing aircraft?
What color to choose as "danger" if the main color of my app is red
How does a permutation act on a string?
Testing if os.path.exists with ArcPy?
How to redirect stdout to a file, and stdout+stderr to another one?
PowerBroker (PBIS) Restricted login list - couldn't resolve srvDomainUsers [40071]
Console user locked out - pam problems?LDAP/NFS/PAM/AutoFS : mkhomedir PAM plugin faillingpasswd for ldap usersLinux (Ubuntu vs CentOS) LDAP Client for 389-ds - password policyHow does changes in /etc/pam.d/common-session-noninteractive affect fail2ban and possibly other programs/services?PBIS Open AD authentication stops working on ubuntu with errors: “user accout has expired” and “is your account locked?”How to configure pam to only mount with winbind authentificationx2go session hangs if logging in using PBIS Open (Likewise Open)Issues with PAM and CRONuser pam.d configuration files to prevent updates overwriting them
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I want to join a domain with Ubuntu 16.04 machine. The server is Windows Server 2012 R2. I have installed PowerBroker Identity Services (PBIS) 8.5.2.265
I get this error in /var/log/syslog:
Restricted login list - couldn't resolve srvDomainUsers [40071]
A couple of erros here: /var/log/auth:
Dec 30 08:56:47 srv3 login[1713]: PAM (login) illegal module type: sessions
Dec 30 08:56:47 srv3 login[1713]: PAM (other) illegal module type: sessions
Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]User user12 is denied access because they are not in the 'require membership of' list
Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:user12][error code:40158]
Dec 30 08:56:50 srv3 login[1713]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=user12
Dec 30 08:56:50 srv3 login[1713]: pam_sss(login:auth): Request to sssd failed. Connection refused
Dec 30 08:56:53 srv3 login[1713]: FAILED LOGIN (1) on '/dev/tty1' FOR 'user12', Authentication failure
/opt/pbis/bin/config --dump:
root@srv3:~# /opt/pbis/bin/config --dump
AllowDeleteTo ""
AllowReadTo ""
AllowWriteTo ""
MaxDiskUsage 104857600
MaxEventLifespan 90
MaxNumEvents 100000
DomainSeparator "\"
SpaceReplacement "^"
EnableEventlog false
SaslMaxBufSize 16777215
Providers "ActiveDirectory"
DisplayMotd false
PAMLogLevel "verbose"
UserNotAllowedError "Access denied"
AssumeDefaultDomain true
CreateHomeDir true
CreateK5Login true
SyncSystemTime true
TrimUserMembership true
LdapSignAndSeal false
LogADNetworkConnectionEvents true
NssEnumerationEnabled true
NssGroupMembersQueryCacheOnly true
NssUserMembershipQueryCacheOnly false
RefreshUserCredentials true
CacheEntryExpiry 14400
DomainManagerCheckDomainOnlineInterval 300
DomainManagerUnknownDomainCacheTimeout 3600
MachinePasswordLifespan 2592000
MemoryCacheSizeCap 0
HomeDirPrefix "/home"
HomeDirTemplate "%H/%U"
RemoteHomeDirTemplate ""
HomeDirUmask "022"
LoginShellTemplate "/bin/bash"
SkeletonDirs "/etc/skel"
UserDomainPrefix "srv"
DomainManagerIgnoreAllTrusts false
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf "srv\DomainUsers"
Local_AcceptNTLMv1 true
Local_HomeDirTemplate "%H/local/%D/%U"
Local_HomeDirUmask "022"
Local_LoginShellTemplate "/bin/sh"
Local_SkeletonDirs "/etc/skel"
UserMonitorCheckInterval 1800
LsassAutostart true
EventlogAutostart true
BlacklistDC
root@srv3:~# /opt/pbis/bin/get-status
LSA Server Status:
Compiled daemon version: 8.5.2.265
Packaged product version: 8.5.265.1
Uptime: 0 days 0 hours 14 minutes 5 seconds
[Authentication provider: lsa-activedirectory-provider]
Status: Online
Mode: Un-provisioned
Domain: SRV.LOCAL
Domain SID: S-1-5-21-2727847642-148432537-1030246457
Forest: srv.local
Site: Default-First-Site-Name
Online check interval: 300 seconds
[Trusted Domains: 1]
[Domain: SRV]
DNS Domain: srv.local
Netbios name: SRV
Forest name: srv.local
Trustee DNS name:
Client site name: Default-First-Site-Name
Domain SID: S-1-5-21-2727847642-148432537-1030246457
Domain GUID: 8ac2ba85-7313-6746-abfe-d44f9856708e
Trust Flags: [0x001d]
[0x0001 - In forest]
[0x0004 - Tree root]
[0x0008 - Primary]
[0x0010 - Native]
Trust type: Up Level
Trust Attributes: [0x0000]
Trust Direction: Primary Domain
Trust Mode: In my forest Trust (MFT)
Domain flags: [0x0001]
[0x0001 - Primary]
[Domain Controller (DC) Information]
DC Name: dc1.srv.local
DC Address: 192.168.253.200
DC Site: Default-First-Site-Name
DC Flags: [0x0000f1fd]
DC Is PDC: yes
DC is time server: yes
DC has writeable DS: yes
DC is Global Catalog: yes
DC is running KDC: yes
[Global Catalog (GC) Information]
GC Name: dc1.srv.local
GC Address: 192.168.253.200
GC Site: Default-First-Site-Name
GC Flags: [0x0000f1fd]
GC Is PDC: yes
GC is time server: yes
GC has writeable DS: yes
GC is running KDC: yes
/opt/pbis/share/pbis.pam-auth-update
Name: PowerBroker Identity Services (PBIS)
Default: yes
Priority: 260
Conflicts: winbind
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_lsass.so try_first_pass
Auth-Initial:
[success=end default=ignore] pam_lsass.so
Account-Type: Primary
Account:
[success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
[success=end new_authtok_reqd=done default=ignore] pam_lsass.so
Session-Type: Additional
Session:
optional pam_lsass.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_lsass.so use_authtok try_first_pass
Password-Initial:
[success=end default=ignore] pam_lsass.so
/etc/pam.d/common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
account [success=2 new_authtok_reqd=done default=ignore] pam_lsass.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config
/etc/pam.d/common-session:
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
#session optional pam_lsass.so
sessions [success=ok default=ignore] pam_lsass.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_systemd.so
# end of pam-auth-update config
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
/etc/pam.d/common-auth:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=3 default=ignore] pam_lsass.so
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
~
~
/etc/pbis/pbis-krb5-ad.conf:
[libdefaults]
default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
dns_lookup_kdc = true
pkinit_kdc_hostname = <DNS>
pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
pkinit_eku_checking = kpServerAuth
pkinit_win2k_require_binding = false
pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so
linux active-directory powerbroker
add a comment |
I want to join a domain with Ubuntu 16.04 machine. The server is Windows Server 2012 R2. I have installed PowerBroker Identity Services (PBIS) 8.5.2.265
I get this error in /var/log/syslog:
Restricted login list - couldn't resolve srvDomainUsers [40071]
A couple of erros here: /var/log/auth:
Dec 30 08:56:47 srv3 login[1713]: PAM (login) illegal module type: sessions
Dec 30 08:56:47 srv3 login[1713]: PAM (other) illegal module type: sessions
Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]User user12 is denied access because they are not in the 'require membership of' list
Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:user12][error code:40158]
Dec 30 08:56:50 srv3 login[1713]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=user12
Dec 30 08:56:50 srv3 login[1713]: pam_sss(login:auth): Request to sssd failed. Connection refused
Dec 30 08:56:53 srv3 login[1713]: FAILED LOGIN (1) on '/dev/tty1' FOR 'user12', Authentication failure
/opt/pbis/bin/config --dump:
root@srv3:~# /opt/pbis/bin/config --dump
AllowDeleteTo ""
AllowReadTo ""
AllowWriteTo ""
MaxDiskUsage 104857600
MaxEventLifespan 90
MaxNumEvents 100000
DomainSeparator "\"
SpaceReplacement "^"
EnableEventlog false
SaslMaxBufSize 16777215
Providers "ActiveDirectory"
DisplayMotd false
PAMLogLevel "verbose"
UserNotAllowedError "Access denied"
AssumeDefaultDomain true
CreateHomeDir true
CreateK5Login true
SyncSystemTime true
TrimUserMembership true
LdapSignAndSeal false
LogADNetworkConnectionEvents true
NssEnumerationEnabled true
NssGroupMembersQueryCacheOnly true
NssUserMembershipQueryCacheOnly false
RefreshUserCredentials true
CacheEntryExpiry 14400
DomainManagerCheckDomainOnlineInterval 300
DomainManagerUnknownDomainCacheTimeout 3600
MachinePasswordLifespan 2592000
MemoryCacheSizeCap 0
HomeDirPrefix "/home"
HomeDirTemplate "%H/%U"
RemoteHomeDirTemplate ""
HomeDirUmask "022"
LoginShellTemplate "/bin/bash"
SkeletonDirs "/etc/skel"
UserDomainPrefix "srv"
DomainManagerIgnoreAllTrusts false
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf "srv\DomainUsers"
Local_AcceptNTLMv1 true
Local_HomeDirTemplate "%H/local/%D/%U"
Local_HomeDirUmask "022"
Local_LoginShellTemplate "/bin/sh"
Local_SkeletonDirs "/etc/skel"
UserMonitorCheckInterval 1800
LsassAutostart true
EventlogAutostart true
BlacklistDC
root@srv3:~# /opt/pbis/bin/get-status
LSA Server Status:
Compiled daemon version: 8.5.2.265
Packaged product version: 8.5.265.1
Uptime: 0 days 0 hours 14 minutes 5 seconds
[Authentication provider: lsa-activedirectory-provider]
Status: Online
Mode: Un-provisioned
Domain: SRV.LOCAL
Domain SID: S-1-5-21-2727847642-148432537-1030246457
Forest: srv.local
Site: Default-First-Site-Name
Online check interval: 300 seconds
[Trusted Domains: 1]
[Domain: SRV]
DNS Domain: srv.local
Netbios name: SRV
Forest name: srv.local
Trustee DNS name:
Client site name: Default-First-Site-Name
Domain SID: S-1-5-21-2727847642-148432537-1030246457
Domain GUID: 8ac2ba85-7313-6746-abfe-d44f9856708e
Trust Flags: [0x001d]
[0x0001 - In forest]
[0x0004 - Tree root]
[0x0008 - Primary]
[0x0010 - Native]
Trust type: Up Level
Trust Attributes: [0x0000]
Trust Direction: Primary Domain
Trust Mode: In my forest Trust (MFT)
Domain flags: [0x0001]
[0x0001 - Primary]
[Domain Controller (DC) Information]
DC Name: dc1.srv.local
DC Address: 192.168.253.200
DC Site: Default-First-Site-Name
DC Flags: [0x0000f1fd]
DC Is PDC: yes
DC is time server: yes
DC has writeable DS: yes
DC is Global Catalog: yes
DC is running KDC: yes
[Global Catalog (GC) Information]
GC Name: dc1.srv.local
GC Address: 192.168.253.200
GC Site: Default-First-Site-Name
GC Flags: [0x0000f1fd]
GC Is PDC: yes
GC is time server: yes
GC has writeable DS: yes
GC is running KDC: yes
/opt/pbis/share/pbis.pam-auth-update
Name: PowerBroker Identity Services (PBIS)
Default: yes
Priority: 260
Conflicts: winbind
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_lsass.so try_first_pass
Auth-Initial:
[success=end default=ignore] pam_lsass.so
Account-Type: Primary
Account:
[success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
[success=end new_authtok_reqd=done default=ignore] pam_lsass.so
Session-Type: Additional
Session:
optional pam_lsass.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_lsass.so use_authtok try_first_pass
Password-Initial:
[success=end default=ignore] pam_lsass.so
/etc/pam.d/common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
account [success=2 new_authtok_reqd=done default=ignore] pam_lsass.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config
/etc/pam.d/common-session:
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
#session optional pam_lsass.so
sessions [success=ok default=ignore] pam_lsass.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_systemd.so
# end of pam-auth-update config
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
/etc/pam.d/common-auth:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=3 default=ignore] pam_lsass.so
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
~
~
/etc/pbis/pbis-krb5-ad.conf:
[libdefaults]
default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
dns_lookup_kdc = true
pkinit_kdc_hostname = <DNS>
pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
pkinit_eku_checking = kpServerAuth
pkinit_win2k_require_binding = false
pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so
linux active-directory powerbroker
add a comment |
I want to join a domain with Ubuntu 16.04 machine. The server is Windows Server 2012 R2. I have installed PowerBroker Identity Services (PBIS) 8.5.2.265
I get this error in /var/log/syslog:
Restricted login list - couldn't resolve srvDomainUsers [40071]
A couple of erros here: /var/log/auth:
Dec 30 08:56:47 srv3 login[1713]: PAM (login) illegal module type: sessions
Dec 30 08:56:47 srv3 login[1713]: PAM (other) illegal module type: sessions
Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]User user12 is denied access because they are not in the 'require membership of' list
Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:user12][error code:40158]
Dec 30 08:56:50 srv3 login[1713]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=user12
Dec 30 08:56:50 srv3 login[1713]: pam_sss(login:auth): Request to sssd failed. Connection refused
Dec 30 08:56:53 srv3 login[1713]: FAILED LOGIN (1) on '/dev/tty1' FOR 'user12', Authentication failure
/opt/pbis/bin/config --dump:
root@srv3:~# /opt/pbis/bin/config --dump
AllowDeleteTo ""
AllowReadTo ""
AllowWriteTo ""
MaxDiskUsage 104857600
MaxEventLifespan 90
MaxNumEvents 100000
DomainSeparator "\"
SpaceReplacement "^"
EnableEventlog false
SaslMaxBufSize 16777215
Providers "ActiveDirectory"
DisplayMotd false
PAMLogLevel "verbose"
UserNotAllowedError "Access denied"
AssumeDefaultDomain true
CreateHomeDir true
CreateK5Login true
SyncSystemTime true
TrimUserMembership true
LdapSignAndSeal false
LogADNetworkConnectionEvents true
NssEnumerationEnabled true
NssGroupMembersQueryCacheOnly true
NssUserMembershipQueryCacheOnly false
RefreshUserCredentials true
CacheEntryExpiry 14400
DomainManagerCheckDomainOnlineInterval 300
DomainManagerUnknownDomainCacheTimeout 3600
MachinePasswordLifespan 2592000
MemoryCacheSizeCap 0
HomeDirPrefix "/home"
HomeDirTemplate "%H/%U"
RemoteHomeDirTemplate ""
HomeDirUmask "022"
LoginShellTemplate "/bin/bash"
SkeletonDirs "/etc/skel"
UserDomainPrefix "srv"
DomainManagerIgnoreAllTrusts false
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf "srv\DomainUsers"
Local_AcceptNTLMv1 true
Local_HomeDirTemplate "%H/local/%D/%U"
Local_HomeDirUmask "022"
Local_LoginShellTemplate "/bin/sh"
Local_SkeletonDirs "/etc/skel"
UserMonitorCheckInterval 1800
LsassAutostart true
EventlogAutostart true
BlacklistDC
root@srv3:~# /opt/pbis/bin/get-status
LSA Server Status:
Compiled daemon version: 8.5.2.265
Packaged product version: 8.5.265.1
Uptime: 0 days 0 hours 14 minutes 5 seconds
[Authentication provider: lsa-activedirectory-provider]
Status: Online
Mode: Un-provisioned
Domain: SRV.LOCAL
Domain SID: S-1-5-21-2727847642-148432537-1030246457
Forest: srv.local
Site: Default-First-Site-Name
Online check interval: 300 seconds
[Trusted Domains: 1]
[Domain: SRV]
DNS Domain: srv.local
Netbios name: SRV
Forest name: srv.local
Trustee DNS name:
Client site name: Default-First-Site-Name
Domain SID: S-1-5-21-2727847642-148432537-1030246457
Domain GUID: 8ac2ba85-7313-6746-abfe-d44f9856708e
Trust Flags: [0x001d]
[0x0001 - In forest]
[0x0004 - Tree root]
[0x0008 - Primary]
[0x0010 - Native]
Trust type: Up Level
Trust Attributes: [0x0000]
Trust Direction: Primary Domain
Trust Mode: In my forest Trust (MFT)
Domain flags: [0x0001]
[0x0001 - Primary]
[Domain Controller (DC) Information]
DC Name: dc1.srv.local
DC Address: 192.168.253.200
DC Site: Default-First-Site-Name
DC Flags: [0x0000f1fd]
DC Is PDC: yes
DC is time server: yes
DC has writeable DS: yes
DC is Global Catalog: yes
DC is running KDC: yes
[Global Catalog (GC) Information]
GC Name: dc1.srv.local
GC Address: 192.168.253.200
GC Site: Default-First-Site-Name
GC Flags: [0x0000f1fd]
GC Is PDC: yes
GC is time server: yes
GC has writeable DS: yes
GC is running KDC: yes
/opt/pbis/share/pbis.pam-auth-update
Name: PowerBroker Identity Services (PBIS)
Default: yes
Priority: 260
Conflicts: winbind
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_lsass.so try_first_pass
Auth-Initial:
[success=end default=ignore] pam_lsass.so
Account-Type: Primary
Account:
[success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
[success=end new_authtok_reqd=done default=ignore] pam_lsass.so
Session-Type: Additional
Session:
optional pam_lsass.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_lsass.so use_authtok try_first_pass
Password-Initial:
[success=end default=ignore] pam_lsass.so
/etc/pam.d/common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
account [success=2 new_authtok_reqd=done default=ignore] pam_lsass.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config
/etc/pam.d/common-session:
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
#session optional pam_lsass.so
sessions [success=ok default=ignore] pam_lsass.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_systemd.so
# end of pam-auth-update config
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
/etc/pam.d/common-auth:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=3 default=ignore] pam_lsass.so
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
~
~
/etc/pbis/pbis-krb5-ad.conf:
[libdefaults]
default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
dns_lookup_kdc = true
pkinit_kdc_hostname = <DNS>
pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
pkinit_eku_checking = kpServerAuth
pkinit_win2k_require_binding = false
pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so
linux active-directory powerbroker
I want to join a domain with Ubuntu 16.04 machine. The server is Windows Server 2012 R2. I have installed PowerBroker Identity Services (PBIS) 8.5.2.265
I get this error in /var/log/syslog:
Restricted login list - couldn't resolve srvDomainUsers [40071]
A couple of erros here: /var/log/auth:
Dec 30 08:56:47 srv3 login[1713]: PAM (login) illegal module type: sessions
Dec 30 08:56:47 srv3 login[1713]: PAM (other) illegal module type: sessions
Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]User user12 is denied access because they are not in the 'require membership of' list
Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:user12][error code:40158]
Dec 30 08:56:50 srv3 login[1713]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=user12
Dec 30 08:56:50 srv3 login[1713]: pam_sss(login:auth): Request to sssd failed. Connection refused
Dec 30 08:56:53 srv3 login[1713]: FAILED LOGIN (1) on '/dev/tty1' FOR 'user12', Authentication failure
/opt/pbis/bin/config --dump:
root@srv3:~# /opt/pbis/bin/config --dump
AllowDeleteTo ""
AllowReadTo ""
AllowWriteTo ""
MaxDiskUsage 104857600
MaxEventLifespan 90
MaxNumEvents 100000
DomainSeparator "\"
SpaceReplacement "^"
EnableEventlog false
SaslMaxBufSize 16777215
Providers "ActiveDirectory"
DisplayMotd false
PAMLogLevel "verbose"
UserNotAllowedError "Access denied"
AssumeDefaultDomain true
CreateHomeDir true
CreateK5Login true
SyncSystemTime true
TrimUserMembership true
LdapSignAndSeal false
LogADNetworkConnectionEvents true
NssEnumerationEnabled true
NssGroupMembersQueryCacheOnly true
NssUserMembershipQueryCacheOnly false
RefreshUserCredentials true
CacheEntryExpiry 14400
DomainManagerCheckDomainOnlineInterval 300
DomainManagerUnknownDomainCacheTimeout 3600
MachinePasswordLifespan 2592000
MemoryCacheSizeCap 0
HomeDirPrefix "/home"
HomeDirTemplate "%H/%U"
RemoteHomeDirTemplate ""
HomeDirUmask "022"
LoginShellTemplate "/bin/bash"
SkeletonDirs "/etc/skel"
UserDomainPrefix "srv"
DomainManagerIgnoreAllTrusts false
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf "srv\DomainUsers"
Local_AcceptNTLMv1 true
Local_HomeDirTemplate "%H/local/%D/%U"
Local_HomeDirUmask "022"
Local_LoginShellTemplate "/bin/sh"
Local_SkeletonDirs "/etc/skel"
UserMonitorCheckInterval 1800
LsassAutostart true
EventlogAutostart true
BlacklistDC
root@srv3:~# /opt/pbis/bin/get-status
LSA Server Status:
Compiled daemon version: 8.5.2.265
Packaged product version: 8.5.265.1
Uptime: 0 days 0 hours 14 minutes 5 seconds
[Authentication provider: lsa-activedirectory-provider]
Status: Online
Mode: Un-provisioned
Domain: SRV.LOCAL
Domain SID: S-1-5-21-2727847642-148432537-1030246457
Forest: srv.local
Site: Default-First-Site-Name
Online check interval: 300 seconds
[Trusted Domains: 1]
[Domain: SRV]
DNS Domain: srv.local
Netbios name: SRV
Forest name: srv.local
Trustee DNS name:
Client site name: Default-First-Site-Name
Domain SID: S-1-5-21-2727847642-148432537-1030246457
Domain GUID: 8ac2ba85-7313-6746-abfe-d44f9856708e
Trust Flags: [0x001d]
[0x0001 - In forest]
[0x0004 - Tree root]
[0x0008 - Primary]
[0x0010 - Native]
Trust type: Up Level
Trust Attributes: [0x0000]
Trust Direction: Primary Domain
Trust Mode: In my forest Trust (MFT)
Domain flags: [0x0001]
[0x0001 - Primary]
[Domain Controller (DC) Information]
DC Name: dc1.srv.local
DC Address: 192.168.253.200
DC Site: Default-First-Site-Name
DC Flags: [0x0000f1fd]
DC Is PDC: yes
DC is time server: yes
DC has writeable DS: yes
DC is Global Catalog: yes
DC is running KDC: yes
[Global Catalog (GC) Information]
GC Name: dc1.srv.local
GC Address: 192.168.253.200
GC Site: Default-First-Site-Name
GC Flags: [0x0000f1fd]
GC Is PDC: yes
GC is time server: yes
GC has writeable DS: yes
GC is running KDC: yes
/opt/pbis/share/pbis.pam-auth-update
Name: PowerBroker Identity Services (PBIS)
Default: yes
Priority: 260
Conflicts: winbind
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_lsass.so try_first_pass
Auth-Initial:
[success=end default=ignore] pam_lsass.so
Account-Type: Primary
Account:
[success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
[success=end new_authtok_reqd=done default=ignore] pam_lsass.so
Session-Type: Additional
Session:
optional pam_lsass.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_lsass.so use_authtok try_first_pass
Password-Initial:
[success=end default=ignore] pam_lsass.so
/etc/pam.d/common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
account [success=2 new_authtok_reqd=done default=ignore] pam_lsass.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config
/etc/pam.d/common-session:
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
#session optional pam_lsass.so
sessions [success=ok default=ignore] pam_lsass.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_systemd.so
# end of pam-auth-update config
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
/etc/pam.d/common-auth:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=3 default=ignore] pam_lsass.so
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
~
~
/etc/pbis/pbis-krb5-ad.conf:
[libdefaults]
default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
dns_lookup_kdc = true
pkinit_kdc_hostname = <DNS>
pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
pkinit_eku_checking = kpServerAuth
pkinit_win2k_require_binding = false
pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so
linux active-directory powerbroker
linux active-directory powerbroker
edited Dec 30 '16 at 13:16
Slipeer
2,98521429
2,98521429
asked Dec 30 '16 at 8:25
XeniozXenioz
112
112
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Restricted login list - couldn't resolve srvDomainUsers [40071]
You should check that the naming of the group Domain Users in the settings PBIS corresponds to how it sees PBIS.
To do this, run the following command:
/opt/pbis/bin/enum-groups | grep -i Domain
Find you Domain Users group name as it displayed and put name of the group to configuration in the same form.
I have changed the config option. But I still can not login to console.
– Xenioz
Dec 30 '16 at 8:58
@xenioz New or same error?
– Slipeer
Dec 30 '16 at 8:59
The error that i had before is gone but i get this: Dec 30 09:56:14 srv3 login[1736]: pam_sss(login:account): Request to sssd failed. Connection refused Dec 30 09:56:14 srv3 login[1736]: Authentication service cannot retrieve authentication info Dec 30 09:56:15 srv3 login[1742]: PAM (login) illegal module type: sessions Dec 30 09:56:15 srv3 login[1742]: PAM (other) illegal module type: sessions
– Xenioz
Dec 30 '16 at 8:59
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f823345%2fpowerbroker-pbis-restricted-login-list-couldnt-resolve-srv-domainusers-400%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Restricted login list - couldn't resolve srvDomainUsers [40071]
You should check that the naming of the group Domain Users in the settings PBIS corresponds to how it sees PBIS.
To do this, run the following command:
/opt/pbis/bin/enum-groups | grep -i Domain
Find you Domain Users group name as it displayed and put name of the group to configuration in the same form.
I have changed the config option. But I still can not login to console.
– Xenioz
Dec 30 '16 at 8:58
@xenioz New or same error?
– Slipeer
Dec 30 '16 at 8:59
The error that i had before is gone but i get this: Dec 30 09:56:14 srv3 login[1736]: pam_sss(login:account): Request to sssd failed. Connection refused Dec 30 09:56:14 srv3 login[1736]: Authentication service cannot retrieve authentication info Dec 30 09:56:15 srv3 login[1742]: PAM (login) illegal module type: sessions Dec 30 09:56:15 srv3 login[1742]: PAM (other) illegal module type: sessions
– Xenioz
Dec 30 '16 at 8:59
add a comment |
Restricted login list - couldn't resolve srvDomainUsers [40071]
You should check that the naming of the group Domain Users in the settings PBIS corresponds to how it sees PBIS.
To do this, run the following command:
/opt/pbis/bin/enum-groups | grep -i Domain
Find you Domain Users group name as it displayed and put name of the group to configuration in the same form.
I have changed the config option. But I still can not login to console.
– Xenioz
Dec 30 '16 at 8:58
@xenioz New or same error?
– Slipeer
Dec 30 '16 at 8:59
The error that i had before is gone but i get this: Dec 30 09:56:14 srv3 login[1736]: pam_sss(login:account): Request to sssd failed. Connection refused Dec 30 09:56:14 srv3 login[1736]: Authentication service cannot retrieve authentication info Dec 30 09:56:15 srv3 login[1742]: PAM (login) illegal module type: sessions Dec 30 09:56:15 srv3 login[1742]: PAM (other) illegal module type: sessions
– Xenioz
Dec 30 '16 at 8:59
add a comment |
Restricted login list - couldn't resolve srvDomainUsers [40071]
You should check that the naming of the group Domain Users in the settings PBIS corresponds to how it sees PBIS.
To do this, run the following command:
/opt/pbis/bin/enum-groups | grep -i Domain
Find you Domain Users group name as it displayed and put name of the group to configuration in the same form.
Restricted login list - couldn't resolve srvDomainUsers [40071]
You should check that the naming of the group Domain Users in the settings PBIS corresponds to how it sees PBIS.
To do this, run the following command:
/opt/pbis/bin/enum-groups | grep -i Domain
Find you Domain Users group name as it displayed and put name of the group to configuration in the same form.
answered Dec 30 '16 at 8:33
SlipeerSlipeer
2,98521429
2,98521429
I have changed the config option. But I still can not login to console.
– Xenioz
Dec 30 '16 at 8:58
@xenioz New or same error?
– Slipeer
Dec 30 '16 at 8:59
The error that i had before is gone but i get this: Dec 30 09:56:14 srv3 login[1736]: pam_sss(login:account): Request to sssd failed. Connection refused Dec 30 09:56:14 srv3 login[1736]: Authentication service cannot retrieve authentication info Dec 30 09:56:15 srv3 login[1742]: PAM (login) illegal module type: sessions Dec 30 09:56:15 srv3 login[1742]: PAM (other) illegal module type: sessions
– Xenioz
Dec 30 '16 at 8:59
add a comment |
I have changed the config option. But I still can not login to console.
– Xenioz
Dec 30 '16 at 8:58
@xenioz New or same error?
– Slipeer
Dec 30 '16 at 8:59
The error that i had before is gone but i get this: Dec 30 09:56:14 srv3 login[1736]: pam_sss(login:account): Request to sssd failed. Connection refused Dec 30 09:56:14 srv3 login[1736]: Authentication service cannot retrieve authentication info Dec 30 09:56:15 srv3 login[1742]: PAM (login) illegal module type: sessions Dec 30 09:56:15 srv3 login[1742]: PAM (other) illegal module type: sessions
– Xenioz
Dec 30 '16 at 8:59
I have changed the config option. But I still can not login to console.
– Xenioz
Dec 30 '16 at 8:58
I have changed the config option. But I still can not login to console.
– Xenioz
Dec 30 '16 at 8:58
@xenioz New or same error?
– Slipeer
Dec 30 '16 at 8:59
@xenioz New or same error?
– Slipeer
Dec 30 '16 at 8:59
The error that i had before is gone but i get this: Dec 30 09:56:14 srv3 login[1736]: pam_sss(login:account): Request to sssd failed. Connection refused Dec 30 09:56:14 srv3 login[1736]: Authentication service cannot retrieve authentication info Dec 30 09:56:15 srv3 login[1742]: PAM (login) illegal module type: sessions Dec 30 09:56:15 srv3 login[1742]: PAM (other) illegal module type: sessions
– Xenioz
Dec 30 '16 at 8:59
The error that i had before is gone but i get this: Dec 30 09:56:14 srv3 login[1736]: pam_sss(login:account): Request to sssd failed. Connection refused Dec 30 09:56:14 srv3 login[1736]: Authentication service cannot retrieve authentication info Dec 30 09:56:15 srv3 login[1742]: PAM (login) illegal module type: sessions Dec 30 09:56:15 srv3 login[1742]: PAM (other) illegal module type: sessions
– Xenioz
Dec 30 '16 at 8:59
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f823345%2fpowerbroker-pbis-restricted-login-list-couldnt-resolve-srv-domainusers-400%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown