PowerBroker (PBIS) Restricted login list - couldn't resolve srvDomainUsers [40071]Console user locked out - pam problems?LDAP/NFS/PAM/AutoFS : mkhomedir PAM plugin faillingpasswd for ldap usersLinux (Ubuntu vs CentOS) LDAP Client for 389-ds - password policyHow does changes in /etc/pam.d/common-session-noninteractive affect fail2ban and possibly other programs/services?PBIS Open AD authentication stops working on ubuntu with errors: “user accout has expired” and “is your account locked?”How to configure pam to only mount with winbind authentificationx2go session hangs if logging in using PBIS Open (Likewise Open)Issues with PAM and CRONuser pam.d configuration files to prevent updates overwriting them

History of the Frobenius Endomorphism?

Why is the Advance Variation considered strong vs the Caro-Kann but not vs the Scandinavian?

Why do OOK transmissions have bandwidth?

Getting a similar picture (colours) on Manual Mode while using similar Auto Mode settings (T6 and 40D)

Does the Rogue's Reliable Talent feature work for thieves' tools, since the rogue is proficient in them?

Is there any good reason to write "it is easy to see"?

c++ conditional uni-directional iterator

Why did Varys remove his rings?

Meaning of "legitimate" in Carl Jung's quote "Neurosis is always a substitute for legitimate suffering."

Developers demotivated due to working on same project for more than 2 years

How to describe a building set which is like LEGO without using the "LEGO" word?

Is there any deeper thematic meaning to the white horse that Arya finds in The Bells (S08E05)?

Break long word (not long text!) in longtable cell

Aligning group plot titles horizontally

Promotion comes with unexpected 24/7/365 on-call

Does it matter what way the tires go if no directional arrow?

It is as easy as A B C, Figure out U V C from the given relationship

Wireless headphones interfere with Wi-Fi signal on laptop

Will there be more tax deductions if I put the house completely under my name, versus doing a joint ownership?

Do high-wing aircraft represent more difficult engineering challenges than low-wing aircraft?

What color to choose as "danger" if the main color of my app is red

How does a permutation act on a string?

Testing if os.path.exists with ArcPy?

How to redirect stdout to a file, and stdout+stderr to another one?



PowerBroker (PBIS) Restricted login list - couldn't resolve srvDomainUsers [40071]


Console user locked out - pam problems?LDAP/NFS/PAM/AutoFS : mkhomedir PAM plugin faillingpasswd for ldap usersLinux (Ubuntu vs CentOS) LDAP Client for 389-ds - password policyHow does changes in /etc/pam.d/common-session-noninteractive affect fail2ban and possibly other programs/services?PBIS Open AD authentication stops working on ubuntu with errors: “user accout has expired” and “is your account locked?”How to configure pam to only mount with winbind authentificationx2go session hangs if logging in using PBIS Open (Likewise Open)Issues with PAM and CRONuser pam.d configuration files to prevent updates overwriting them






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








0















I want to join a domain with Ubuntu 16.04 machine. The server is Windows Server 2012 R2. I have installed PowerBroker Identity Services (PBIS) 8.5.2.265



I get this error in /var/log/syslog:



Restricted login list - couldn't resolve srvDomainUsers [40071]


A couple of erros here: /var/log/auth:



Dec 30 08:56:47 srv3 login[1713]: PAM (login) illegal module type: sessions
Dec 30 08:56:47 srv3 login[1713]: PAM (other) illegal module type: sessions
Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]User user12 is denied access because they are not in the 'require membership of' list
Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:user12][error code:40158]
Dec 30 08:56:50 srv3 login[1713]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=user12
Dec 30 08:56:50 srv3 login[1713]: pam_sss(login:auth): Request to sssd failed. Connection refused
Dec 30 08:56:53 srv3 login[1713]: FAILED LOGIN (1) on '/dev/tty1' FOR 'user12', Authentication failure


/opt/pbis/bin/config --dump:



 root@srv3:~# /opt/pbis/bin/config --dump
AllowDeleteTo ""
AllowReadTo ""
AllowWriteTo ""
MaxDiskUsage 104857600
MaxEventLifespan 90
MaxNumEvents 100000
DomainSeparator "\"
SpaceReplacement "^"
EnableEventlog false
SaslMaxBufSize 16777215
Providers "ActiveDirectory"
DisplayMotd false
PAMLogLevel "verbose"
UserNotAllowedError "Access denied"
AssumeDefaultDomain true
CreateHomeDir true
CreateK5Login true
SyncSystemTime true
TrimUserMembership true
LdapSignAndSeal false
LogADNetworkConnectionEvents true
NssEnumerationEnabled true
NssGroupMembersQueryCacheOnly true
NssUserMembershipQueryCacheOnly false
RefreshUserCredentials true
CacheEntryExpiry 14400
DomainManagerCheckDomainOnlineInterval 300
DomainManagerUnknownDomainCacheTimeout 3600
MachinePasswordLifespan 2592000
MemoryCacheSizeCap 0
HomeDirPrefix "/home"
HomeDirTemplate "%H/%U"
RemoteHomeDirTemplate ""
HomeDirUmask "022"
LoginShellTemplate "/bin/bash"
SkeletonDirs "/etc/skel"
UserDomainPrefix "srv"
DomainManagerIgnoreAllTrusts false
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf "srv\DomainUsers"
Local_AcceptNTLMv1 true
Local_HomeDirTemplate "%H/local/%D/%U"
Local_HomeDirUmask "022"
Local_LoginShellTemplate "/bin/sh"
Local_SkeletonDirs "/etc/skel"
UserMonitorCheckInterval 1800
LsassAutostart true
EventlogAutostart true
BlacklistDC


root@srv3:~# /opt/pbis/bin/get-status



LSA Server Status:

Compiled daemon version: 8.5.2.265
Packaged product version: 8.5.265.1
Uptime: 0 days 0 hours 14 minutes 5 seconds

[Authentication provider: lsa-activedirectory-provider]

 Status: Online
 Mode: Un-provisioned
 Domain: SRV.LOCAL
 Domain SID: S-1-5-21-2727847642-148432537-1030246457
 Forest: srv.local
 Site: Default-First-Site-Name
 Online check interval: 300 seconds
 [Trusted Domains: 1]


 [Domain: SRV]

 DNS Domain: srv.local
 Netbios name: SRV
 Forest name: srv.local
 Trustee DNS name:
 Client site name: Default-First-Site-Name
 Domain SID: S-1-5-21-2727847642-148432537-1030246457
 Domain GUID: 8ac2ba85-7313-6746-abfe-d44f9856708e
 Trust Flags: [0x001d]
 [0x0001 - In forest]
 [0x0004 - Tree root]
 [0x0008 - Primary]
 [0x0010 - Native]
 Trust type: Up Level
 Trust Attributes: [0x0000]
 Trust Direction: Primary Domain
 Trust Mode: In my forest Trust (MFT)
 Domain flags: [0x0001]
 [0x0001 - Primary]

 [Domain Controller (DC) Information]

 DC Name: dc1.srv.local
 DC Address: 192.168.253.200
 DC Site: Default-First-Site-Name
 DC Flags: [0x0000f1fd]
 DC Is PDC: yes
 DC is time server: yes
 DC has writeable DS: yes
 DC is Global Catalog: yes
 DC is running KDC: yes

 [Global Catalog (GC) Information]

 GC Name: dc1.srv.local
 GC Address: 192.168.253.200
 GC Site: Default-First-Site-Name
 GC Flags: [0x0000f1fd]
 GC Is PDC: yes
 GC is time server: yes
 GC has writeable DS: yes
 GC is running KDC: yes


/opt/pbis/share/pbis.pam-auth-update



Name: PowerBroker Identity Services (PBIS)
Default: yes
Priority: 260
Conflicts: winbind
Auth-Type: Primary
Auth:
 [success=end default=ignore] pam_lsass.so try_first_pass
Auth-Initial:
 [success=end default=ignore] pam_lsass.so
Account-Type: Primary
Account:
 [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
 [success=end new_authtok_reqd=done default=ignore] pam_lsass.so
Session-Type: Additional
Session:
 optional pam_lsass.so
Password-Type: Primary
Password:
 [success=end default=ignore] pam_lsass.so use_authtok try_first_pass
Password-Initial:
 [success=end default=ignore] pam_lsass.so


/etc/pam.d/common-account



#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)
account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
account [success=2 new_authtok_reqd=done default=ignore] pam_lsass.so 
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so 
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so 
account [default=bad success=ok user_unknown=ignore] pam_sss.so 
# end of pam-auth-update config


/etc/pam.d/common-session:



#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
#session optional pam_lsass.so 
sessions [success=ok default=ignore] pam_lsass.so
session required pam_unix.so 
session optional pam_sss.so 
session optional pam_systemd.so 
# end of pam-auth-update config
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022


/etc/pam.d/common-auth:



#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth [success=3 default=ignore] pam_lsass.so
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
~
~


/etc/pbis/pbis-krb5-ad.conf:



[libdefaults]
 default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
 default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
 preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
 dns_lookup_kdc = true
 pkinit_kdc_hostname = <DNS>
 pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
 pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
 pkinit_eku_checking = kpServerAuth
 pkinit_win2k_require_binding = false
 pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so





linux active-directory powerbroker







share|improve this question






























    0















    I want to join a domain with Ubuntu 16.04 machine. The server is Windows Server 2012 R2. I have installed PowerBroker Identity Services (PBIS) 8.5.2.265



    I get this error in /var/log/syslog:



    Restricted login list - couldn't resolve srvDomainUsers [40071]


    A couple of erros here: /var/log/auth:



    Dec 30 08:56:47 srv3 login[1713]: PAM (login) illegal module type: sessions
    Dec 30 08:56:47 srv3 login[1713]: PAM (other) illegal module type: sessions
    Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]User user12 is denied access because they are not in the 'require membership of' list
    Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:user12][error code:40158]
    Dec 30 08:56:50 srv3 login[1713]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=user12
    Dec 30 08:56:50 srv3 login[1713]: pam_sss(login:auth): Request to sssd failed. Connection refused
    Dec 30 08:56:53 srv3 login[1713]: FAILED LOGIN (1) on '/dev/tty1' FOR 'user12', Authentication failure


    /opt/pbis/bin/config --dump:



     root@srv3:~# /opt/pbis/bin/config --dump
    AllowDeleteTo ""
    AllowReadTo ""
    AllowWriteTo ""
    MaxDiskUsage 104857600
    MaxEventLifespan 90
    MaxNumEvents 100000
    DomainSeparator "\"
    SpaceReplacement "^"
    EnableEventlog false
    SaslMaxBufSize 16777215
    Providers "ActiveDirectory"
    DisplayMotd false
    PAMLogLevel "verbose"
    UserNotAllowedError "Access denied"
    AssumeDefaultDomain true
    CreateHomeDir true
    CreateK5Login true
    SyncSystemTime true
    TrimUserMembership true
    LdapSignAndSeal false
    LogADNetworkConnectionEvents true
    NssEnumerationEnabled true
    NssGroupMembersQueryCacheOnly true
    NssUserMembershipQueryCacheOnly false
    RefreshUserCredentials true
    CacheEntryExpiry 14400
    DomainManagerCheckDomainOnlineInterval 300
    DomainManagerUnknownDomainCacheTimeout 3600
    MachinePasswordLifespan 2592000
    MemoryCacheSizeCap 0
    HomeDirPrefix "/home"
    HomeDirTemplate "%H/%U"
    RemoteHomeDirTemplate ""
    HomeDirUmask "022"
    LoginShellTemplate "/bin/bash"
    SkeletonDirs "/etc/skel"
    UserDomainPrefix "srv"
    DomainManagerIgnoreAllTrusts false
    DomainManagerIncludeTrustsList
    DomainManagerExcludeTrustsList
    RequireMembershipOf "srv\DomainUsers"
    Local_AcceptNTLMv1 true
    Local_HomeDirTemplate "%H/local/%D/%U"
    Local_HomeDirUmask "022"
    Local_LoginShellTemplate "/bin/sh"
    Local_SkeletonDirs "/etc/skel"
    UserMonitorCheckInterval 1800
    LsassAutostart true
    EventlogAutostart true
    BlacklistDC


    root@srv3:~# /opt/pbis/bin/get-status



    LSA Server Status:

    Compiled daemon version: 8.5.2.265
    Packaged product version: 8.5.265.1
    Uptime: 0 days 0 hours 14 minutes 5 seconds

    [Authentication provider: lsa-activedirectory-provider]

     Status: Online
     Mode: Un-provisioned
     Domain: SRV.LOCAL
     Domain SID: S-1-5-21-2727847642-148432537-1030246457
     Forest: srv.local
     Site: Default-First-Site-Name
     Online check interval: 300 seconds
     [Trusted Domains: 1]


     [Domain: SRV]

     DNS Domain: srv.local
     Netbios name: SRV
     Forest name: srv.local
     Trustee DNS name:
     Client site name: Default-First-Site-Name
     Domain SID: S-1-5-21-2727847642-148432537-1030246457
     Domain GUID: 8ac2ba85-7313-6746-abfe-d44f9856708e
     Trust Flags: [0x001d]
     [0x0001 - In forest]
     [0x0004 - Tree root]
     [0x0008 - Primary]
     [0x0010 - Native]
     Trust type: Up Level
     Trust Attributes: [0x0000]
     Trust Direction: Primary Domain
     Trust Mode: In my forest Trust (MFT)
     Domain flags: [0x0001]
     [0x0001 - Primary]

     [Domain Controller (DC) Information]

     DC Name: dc1.srv.local
     DC Address: 192.168.253.200
     DC Site: Default-First-Site-Name
     DC Flags: [0x0000f1fd]
     DC Is PDC: yes
     DC is time server: yes
     DC has writeable DS: yes
     DC is Global Catalog: yes
     DC is running KDC: yes

     [Global Catalog (GC) Information]

     GC Name: dc1.srv.local
     GC Address: 192.168.253.200
     GC Site: Default-First-Site-Name
     GC Flags: [0x0000f1fd]
     GC Is PDC: yes
     GC is time server: yes
     GC has writeable DS: yes
     GC is running KDC: yes


    /opt/pbis/share/pbis.pam-auth-update



    Name: PowerBroker Identity Services (PBIS)
    Default: yes
    Priority: 260
    Conflicts: winbind
    Auth-Type: Primary
    Auth:
     [success=end default=ignore] pam_lsass.so try_first_pass
    Auth-Initial:
     [success=end default=ignore] pam_lsass.so
    Account-Type: Primary
    Account:
     [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
     [success=end new_authtok_reqd=done default=ignore] pam_lsass.so
    Session-Type: Additional
    Session:
     optional pam_lsass.so
    Password-Type: Primary
    Password:
     [success=end default=ignore] pam_lsass.so use_authtok try_first_pass
    Password-Initial:
     [success=end default=ignore] pam_lsass.so


    /etc/pam.d/common-account



    #
    # /etc/pam.d/common-account - authorization settings common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of the authorization modules that define
    # the central access policy for use on the system. The default is to
    # only deny service to users whose accounts are expired in /etc/shadow.
    #
    # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
    # To take advantage of this, it is recommended that you configure any
    # local modules either before or after the default block, and use
    # pam-auth-update to manage selection of other modules. See
    # pam-auth-update(8) for details.
    #

    # here are the per-package modules (the "Primary" block)
    account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
    account [success=2 new_authtok_reqd=done default=ignore] pam_lsass.so 
    account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so 
    # here's the fallback if no module succeeds
    account requisite pam_deny.so
    # prime the stack with a positive return value if there isn't one already;
    # this avoids us returning an error just because nothing sets a success code
    # since the modules above will each just jump around
    account required pam_permit.so
    # and here are more per-package modules (the "Additional" block)
    account sufficient pam_localuser.so 
    account [default=bad success=ok user_unknown=ignore] pam_sss.so 
    # end of pam-auth-update config


    /etc/pam.d/common-session:



    #
    # /etc/pam.d/common-session - session-related modules common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of modules that define tasks to be performed
    # at the start and end of sessions of *any* kind (both interactive and
    # non-interactive).
    #
    # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
    # To take advantage of this, it is recommended that you configure any
    # local modules either before or after the default block, and use
    # pam-auth-update to manage selection of other modules. See
    # pam-auth-update(8) for details.

    # here are the per-package modules (the "Primary" block)
    session [default=1] pam_permit.so
    # here's the fallback if no module succeeds
    session requisite pam_deny.so
    # prime the stack with a positive return value if there isn't one already;
    # this avoids us returning an error just because nothing sets a success code
    # since the modules above will each just jump around
    session required pam_permit.so
    # The pam_umask module will set the umask according to the system default in
    # /etc/login.defs and user settings, solving the problem of different
    # umask settings with different shells, display managers, remote sessions etc.
    # See "man pam_umask".
    session optional pam_umask.so
    # and here are more per-package modules (the "Additional" block)
    #session optional pam_lsass.so 
    sessions [success=ok default=ignore] pam_lsass.so
    session required pam_unix.so 
    session optional pam_sss.so 
    session optional pam_systemd.so 
    # end of pam-auth-update config
    session required pam_mkhomedir.so skel=/etc/skel/ umask=0022


    /etc/pam.d/common-auth:



    #
    # /etc/pam.d/common-auth - authentication settings common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of the authentication modules that define
    # the central authentication scheme for use on the system
    # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
    # traditional Unix authentication mechanisms.
    #
    # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
    # To take advantage of this, it is recommended that you configure any
    # local modules either before or after the default block, and use
    # pam-auth-update to manage selection of other modules. See
    # pam-auth-update(8) for details.

    # here are the per-package modules (the "Primary" block)
    auth [success=3 default=ignore] pam_lsass.so
    auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
    auth [success=1 default=ignore] pam_sss.so use_first_pass
    # here's the fallback if no module succeeds
    auth requisite pam_deny.so
    # prime the stack with a positive return value if there isn't one already;
    # this avoids us returning an error just because nothing sets a success code
    # since the modules above will each just jump around
    auth required pam_permit.so
    # and here are more per-package modules (the "Additional" block)
    # end of pam-auth-update config
    ~
    ~


    /etc/pbis/pbis-krb5-ad.conf:



    [libdefaults]
     default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
     default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
     preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
     dns_lookup_kdc = true
     pkinit_kdc_hostname = <DNS>
     pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
     pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
     pkinit_eku_checking = kpServerAuth
     pkinit_win2k_require_binding = false
     pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so





    linux active-directory powerbroker







    share|improve this question


























      0












      0








      0








      I want to join a domain with Ubuntu 16.04 machine. The server is Windows Server 2012 R2. I have installed PowerBroker Identity Services (PBIS) 8.5.2.265



      I get this error in /var/log/syslog:



      Restricted login list - couldn't resolve srvDomainUsers [40071]


      A couple of erros here: /var/log/auth:



      Dec 30 08:56:47 srv3 login[1713]: PAM (login) illegal module type: sessions
      Dec 30 08:56:47 srv3 login[1713]: PAM (other) illegal module type: sessions
      Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]User user12 is denied access because they are not in the 'require membership of' list
      Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:user12][error code:40158]
      Dec 30 08:56:50 srv3 login[1713]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=user12
      Dec 30 08:56:50 srv3 login[1713]: pam_sss(login:auth): Request to sssd failed. Connection refused
      Dec 30 08:56:53 srv3 login[1713]: FAILED LOGIN (1) on '/dev/tty1' FOR 'user12', Authentication failure


      /opt/pbis/bin/config --dump:



       root@srv3:~# /opt/pbis/bin/config --dump
      AllowDeleteTo ""
      AllowReadTo ""
      AllowWriteTo ""
      MaxDiskUsage 104857600
      MaxEventLifespan 90
      MaxNumEvents 100000
      DomainSeparator "\"
      SpaceReplacement "^"
      EnableEventlog false
      SaslMaxBufSize 16777215
      Providers "ActiveDirectory"
      DisplayMotd false
      PAMLogLevel "verbose"
      UserNotAllowedError "Access denied"
      AssumeDefaultDomain true
      CreateHomeDir true
      CreateK5Login true
      SyncSystemTime true
      TrimUserMembership true
      LdapSignAndSeal false
      LogADNetworkConnectionEvents true
      NssEnumerationEnabled true
      NssGroupMembersQueryCacheOnly true
      NssUserMembershipQueryCacheOnly false
      RefreshUserCredentials true
      CacheEntryExpiry 14400
      DomainManagerCheckDomainOnlineInterval 300
      DomainManagerUnknownDomainCacheTimeout 3600
      MachinePasswordLifespan 2592000
      MemoryCacheSizeCap 0
      HomeDirPrefix "/home"
      HomeDirTemplate "%H/%U"
      RemoteHomeDirTemplate ""
      HomeDirUmask "022"
      LoginShellTemplate "/bin/bash"
      SkeletonDirs "/etc/skel"
      UserDomainPrefix "srv"
      DomainManagerIgnoreAllTrusts false
      DomainManagerIncludeTrustsList
      DomainManagerExcludeTrustsList
      RequireMembershipOf "srv\DomainUsers"
      Local_AcceptNTLMv1 true
      Local_HomeDirTemplate "%H/local/%D/%U"
      Local_HomeDirUmask "022"
      Local_LoginShellTemplate "/bin/sh"
      Local_SkeletonDirs "/etc/skel"
      UserMonitorCheckInterval 1800
      LsassAutostart true
      EventlogAutostart true
      BlacklistDC


      root@srv3:~# /opt/pbis/bin/get-status



      LSA Server Status:

      Compiled daemon version: 8.5.2.265
      Packaged product version: 8.5.265.1
      Uptime: 0 days 0 hours 14 minutes 5 seconds

      [Authentication provider: lsa-activedirectory-provider]

       Status: Online
       Mode: Un-provisioned
       Domain: SRV.LOCAL
       Domain SID: S-1-5-21-2727847642-148432537-1030246457
       Forest: srv.local
       Site: Default-First-Site-Name
       Online check interval: 300 seconds
       [Trusted Domains: 1]


       [Domain: SRV]

       DNS Domain: srv.local
       Netbios name: SRV
       Forest name: srv.local
       Trustee DNS name:
       Client site name: Default-First-Site-Name
       Domain SID: S-1-5-21-2727847642-148432537-1030246457
       Domain GUID: 8ac2ba85-7313-6746-abfe-d44f9856708e
       Trust Flags: [0x001d]
       [0x0001 - In forest]
       [0x0004 - Tree root]
       [0x0008 - Primary]
       [0x0010 - Native]
       Trust type: Up Level
       Trust Attributes: [0x0000]
       Trust Direction: Primary Domain
       Trust Mode: In my forest Trust (MFT)
       Domain flags: [0x0001]
       [0x0001 - Primary]

       [Domain Controller (DC) Information]

       DC Name: dc1.srv.local
       DC Address: 192.168.253.200
       DC Site: Default-First-Site-Name
       DC Flags: [0x0000f1fd]
       DC Is PDC: yes
       DC is time server: yes
       DC has writeable DS: yes
       DC is Global Catalog: yes
       DC is running KDC: yes

       [Global Catalog (GC) Information]

       GC Name: dc1.srv.local
       GC Address: 192.168.253.200
       GC Site: Default-First-Site-Name
       GC Flags: [0x0000f1fd]
       GC Is PDC: yes
       GC is time server: yes
       GC has writeable DS: yes
       GC is running KDC: yes


      /opt/pbis/share/pbis.pam-auth-update



      Name: PowerBroker Identity Services (PBIS)
      Default: yes
      Priority: 260
      Conflicts: winbind
      Auth-Type: Primary
      Auth:
       [success=end default=ignore] pam_lsass.so try_first_pass
      Auth-Initial:
       [success=end default=ignore] pam_lsass.so
      Account-Type: Primary
      Account:
       [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
       [success=end new_authtok_reqd=done default=ignore] pam_lsass.so
      Session-Type: Additional
      Session:
       optional pam_lsass.so
      Password-Type: Primary
      Password:
       [success=end default=ignore] pam_lsass.so use_authtok try_first_pass
      Password-Initial:
       [success=end default=ignore] pam_lsass.so


      /etc/pam.d/common-account



      #
      # /etc/pam.d/common-account - authorization settings common to all services
      #
      # This file is included from other service-specific PAM config files,
      # and should contain a list of the authorization modules that define
      # the central access policy for use on the system. The default is to
      # only deny service to users whose accounts are expired in /etc/shadow.
      #
      # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
      # To take advantage of this, it is recommended that you configure any
      # local modules either before or after the default block, and use
      # pam-auth-update to manage selection of other modules. See
      # pam-auth-update(8) for details.
      #

      # here are the per-package modules (the "Primary" block)
      account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
      account [success=2 new_authtok_reqd=done default=ignore] pam_lsass.so 
      account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so 
      # here's the fallback if no module succeeds
      account requisite pam_deny.so
      # prime the stack with a positive return value if there isn't one already;
      # this avoids us returning an error just because nothing sets a success code
      # since the modules above will each just jump around
      account required pam_permit.so
      # and here are more per-package modules (the "Additional" block)
      account sufficient pam_localuser.so 
      account [default=bad success=ok user_unknown=ignore] pam_sss.so 
      # end of pam-auth-update config


      /etc/pam.d/common-session:



      #
      # /etc/pam.d/common-session - session-related modules common to all services
      #
      # This file is included from other service-specific PAM config files,
      # and should contain a list of modules that define tasks to be performed
      # at the start and end of sessions of *any* kind (both interactive and
      # non-interactive).
      #
      # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
      # To take advantage of this, it is recommended that you configure any
      # local modules either before or after the default block, and use
      # pam-auth-update to manage selection of other modules. See
      # pam-auth-update(8) for details.

      # here are the per-package modules (the "Primary" block)
      session [default=1] pam_permit.so
      # here's the fallback if no module succeeds
      session requisite pam_deny.so
      # prime the stack with a positive return value if there isn't one already;
      # this avoids us returning an error just because nothing sets a success code
      # since the modules above will each just jump around
      session required pam_permit.so
      # The pam_umask module will set the umask according to the system default in
      # /etc/login.defs and user settings, solving the problem of different
      # umask settings with different shells, display managers, remote sessions etc.
      # See "man pam_umask".
      session optional pam_umask.so
      # and here are more per-package modules (the "Additional" block)
      #session optional pam_lsass.so 
      sessions [success=ok default=ignore] pam_lsass.so
      session required pam_unix.so 
      session optional pam_sss.so 
      session optional pam_systemd.so 
      # end of pam-auth-update config
      session required pam_mkhomedir.so skel=/etc/skel/ umask=0022


      /etc/pam.d/common-auth:



      #
      # /etc/pam.d/common-auth - authentication settings common to all services
      #
      # This file is included from other service-specific PAM config files,
      # and should contain a list of the authentication modules that define
      # the central authentication scheme for use on the system
      # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
      # traditional Unix authentication mechanisms.
      #
      # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
      # To take advantage of this, it is recommended that you configure any
      # local modules either before or after the default block, and use
      # pam-auth-update to manage selection of other modules. See
      # pam-auth-update(8) for details.

      # here are the per-package modules (the "Primary" block)
      auth [success=3 default=ignore] pam_lsass.so
      auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
      auth [success=1 default=ignore] pam_sss.so use_first_pass
      # here's the fallback if no module succeeds
      auth requisite pam_deny.so
      # prime the stack with a positive return value if there isn't one already;
      # this avoids us returning an error just because nothing sets a success code
      # since the modules above will each just jump around
      auth required pam_permit.so
      # and here are more per-package modules (the "Additional" block)
      # end of pam-auth-update config
      ~
      ~


      /etc/pbis/pbis-krb5-ad.conf:



      [libdefaults]
       default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
       default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
       preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
       dns_lookup_kdc = true
       pkinit_kdc_hostname = <DNS>
       pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
       pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
       pkinit_eku_checking = kpServerAuth
       pkinit_win2k_require_binding = false
       pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so





      linux active-directory powerbroker







      share|improve this question
















      I want to join a domain with Ubuntu 16.04 machine. The server is Windows Server 2012 R2. I have installed PowerBroker Identity Services (PBIS) 8.5.2.265



      I get this error in /var/log/syslog:



      Restricted login list - couldn't resolve srvDomainUsers [40071]


      A couple of erros here: /var/log/auth:



      Dec 30 08:56:47 srv3 login[1713]: PAM (login) illegal module type: sessions
      Dec 30 08:56:47 srv3 login[1713]: PAM (other) illegal module type: sessions
      Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]User user12 is denied access because they are not in the 'require membership of' list
      Dec 30 08:56:50 srv3 login[1713]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:user12][error code:40158]
      Dec 30 08:56:50 srv3 login[1713]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=user12
      Dec 30 08:56:50 srv3 login[1713]: pam_sss(login:auth): Request to sssd failed. Connection refused
      Dec 30 08:56:53 srv3 login[1713]: FAILED LOGIN (1) on '/dev/tty1' FOR 'user12', Authentication failure


      /opt/pbis/bin/config --dump:



       root@srv3:~# /opt/pbis/bin/config --dump
      AllowDeleteTo ""
      AllowReadTo ""
      AllowWriteTo ""
      MaxDiskUsage 104857600
      MaxEventLifespan 90
      MaxNumEvents 100000
      DomainSeparator "\"
      SpaceReplacement "^"
      EnableEventlog false
      SaslMaxBufSize 16777215
      Providers "ActiveDirectory"
      DisplayMotd false
      PAMLogLevel "verbose"
      UserNotAllowedError "Access denied"
      AssumeDefaultDomain true
      CreateHomeDir true
      CreateK5Login true
      SyncSystemTime true
      TrimUserMembership true
      LdapSignAndSeal false
      LogADNetworkConnectionEvents true
      NssEnumerationEnabled true
      NssGroupMembersQueryCacheOnly true
      NssUserMembershipQueryCacheOnly false
      RefreshUserCredentials true
      CacheEntryExpiry 14400
      DomainManagerCheckDomainOnlineInterval 300
      DomainManagerUnknownDomainCacheTimeout 3600
      MachinePasswordLifespan 2592000
      MemoryCacheSizeCap 0
      HomeDirPrefix "/home"
      HomeDirTemplate "%H/%U"
      RemoteHomeDirTemplate ""
      HomeDirUmask "022"
      LoginShellTemplate "/bin/bash"
      SkeletonDirs "/etc/skel"
      UserDomainPrefix "srv"
      DomainManagerIgnoreAllTrusts false
      DomainManagerIncludeTrustsList
      DomainManagerExcludeTrustsList
      RequireMembershipOf "srv\DomainUsers"
      Local_AcceptNTLMv1 true
      Local_HomeDirTemplate "%H/local/%D/%U"
      Local_HomeDirUmask "022"
      Local_LoginShellTemplate "/bin/sh"
      Local_SkeletonDirs "/etc/skel"
      UserMonitorCheckInterval 1800
      LsassAutostart true
      EventlogAutostart true
      BlacklistDC


      root@srv3:~# /opt/pbis/bin/get-status



      LSA Server Status:

      Compiled daemon version: 8.5.2.265
      Packaged product version: 8.5.265.1
      Uptime: 0 days 0 hours 14 minutes 5 seconds

      [Authentication provider: lsa-activedirectory-provider]

       Status: Online
       Mode: Un-provisioned
       Domain: SRV.LOCAL
       Domain SID: S-1-5-21-2727847642-148432537-1030246457
       Forest: srv.local
       Site: Default-First-Site-Name
       Online check interval: 300 seconds
       [Trusted Domains: 1]


       [Domain: SRV]

       DNS Domain: srv.local
       Netbios name: SRV
       Forest name: srv.local
       Trustee DNS name:
       Client site name: Default-First-Site-Name
       Domain SID: S-1-5-21-2727847642-148432537-1030246457
       Domain GUID: 8ac2ba85-7313-6746-abfe-d44f9856708e
       Trust Flags: [0x001d]
       [0x0001 - In forest]
       [0x0004 - Tree root]
       [0x0008 - Primary]
       [0x0010 - Native]
       Trust type: Up Level
       Trust Attributes: [0x0000]
       Trust Direction: Primary Domain
       Trust Mode: In my forest Trust (MFT)
       Domain flags: [0x0001]
       [0x0001 - Primary]

       [Domain Controller (DC) Information]

       DC Name: dc1.srv.local
       DC Address: 192.168.253.200
       DC Site: Default-First-Site-Name
       DC Flags: [0x0000f1fd]
       DC Is PDC: yes
       DC is time server: yes
       DC has writeable DS: yes
       DC is Global Catalog: yes
       DC is running KDC: yes

       [Global Catalog (GC) Information]

       GC Name: dc1.srv.local
       GC Address: 192.168.253.200
       GC Site: Default-First-Site-Name
       GC Flags: [0x0000f1fd]
       GC Is PDC: yes
       GC is time server: yes
       GC has writeable DS: yes
       GC is running KDC: yes


      /opt/pbis/share/pbis.pam-auth-update



      Name: PowerBroker Identity Services (PBIS)
      Default: yes
      Priority: 260
      Conflicts: winbind
      Auth-Type: Primary
      Auth:
       [success=end default=ignore] pam_lsass.so try_first_pass
      Auth-Initial:
       [success=end default=ignore] pam_lsass.so
      Account-Type: Primary
      Account:
       [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
       [success=end new_authtok_reqd=done default=ignore] pam_lsass.so
      Session-Type: Additional
      Session:
       optional pam_lsass.so
      Password-Type: Primary
      Password:
       [success=end default=ignore] pam_lsass.so use_authtok try_first_pass
      Password-Initial:
       [success=end default=ignore] pam_lsass.so


      /etc/pam.d/common-account



      #
      # /etc/pam.d/common-account - authorization settings common to all services
      #
      # This file is included from other service-specific PAM config files,
      # and should contain a list of the authorization modules that define
      # the central access policy for use on the system. The default is to
      # only deny service to users whose accounts are expired in /etc/shadow.
      #
      # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
      # To take advantage of this, it is recommended that you configure any
      # local modules either before or after the default block, and use
      # pam-auth-update to manage selection of other modules. See
      # pam-auth-update(8) for details.
      #

      # here are the per-package modules (the "Primary" block)
      account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok
      account [success=2 new_authtok_reqd=done default=ignore] pam_lsass.so 
      account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so 
      # here's the fallback if no module succeeds
      account requisite pam_deny.so
      # prime the stack with a positive return value if there isn't one already;
      # this avoids us returning an error just because nothing sets a success code
      # since the modules above will each just jump around
      account required pam_permit.so
      # and here are more per-package modules (the "Additional" block)
      account sufficient pam_localuser.so 
      account [default=bad success=ok user_unknown=ignore] pam_sss.so 
      # end of pam-auth-update config


      /etc/pam.d/common-session:



      #
      # /etc/pam.d/common-session - session-related modules common to all services
      #
      # This file is included from other service-specific PAM config files,
      # and should contain a list of modules that define tasks to be performed
      # at the start and end of sessions of *any* kind (both interactive and
      # non-interactive).
      #
      # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
      # To take advantage of this, it is recommended that you configure any
      # local modules either before or after the default block, and use
      # pam-auth-update to manage selection of other modules. See
      # pam-auth-update(8) for details.

      # here are the per-package modules (the "Primary" block)
      session [default=1] pam_permit.so
      # here's the fallback if no module succeeds
      session requisite pam_deny.so
      # prime the stack with a positive return value if there isn't one already;
      # this avoids us returning an error just because nothing sets a success code
      # since the modules above will each just jump around
      session required pam_permit.so
      # The pam_umask module will set the umask according to the system default in
      # /etc/login.defs and user settings, solving the problem of different
      # umask settings with different shells, display managers, remote sessions etc.
      # See "man pam_umask".
      session optional pam_umask.so
      # and here are more per-package modules (the "Additional" block)
      #session optional pam_lsass.so 
      sessions [success=ok default=ignore] pam_lsass.so
      session required pam_unix.so 
      session optional pam_sss.so 
      session optional pam_systemd.so 
      # end of pam-auth-update config
      session required pam_mkhomedir.so skel=/etc/skel/ umask=0022


      /etc/pam.d/common-auth:



      #
      # /etc/pam.d/common-auth - authentication settings common to all services
      #
      # This file is included from other service-specific PAM config files,
      # and should contain a list of the authentication modules that define
      # the central authentication scheme for use on the system
      # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
      # traditional Unix authentication mechanisms.
      #
      # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
      # To take advantage of this, it is recommended that you configure any
      # local modules either before or after the default block, and use
      # pam-auth-update to manage selection of other modules. See
      # pam-auth-update(8) for details.

      # here are the per-package modules (the "Primary" block)
      auth [success=3 default=ignore] pam_lsass.so
      auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
      auth [success=1 default=ignore] pam_sss.so use_first_pass
      # here's the fallback if no module succeeds
      auth requisite pam_deny.so
      # prime the stack with a positive return value if there isn't one already;
      # this avoids us returning an error just because nothing sets a success code
      # since the modules above will each just jump around
      auth required pam_permit.so
      # and here are more per-package modules (the "Additional" block)
      # end of pam-auth-update config
      ~
      ~


      /etc/pbis/pbis-krb5-ad.conf:



      [libdefaults]
       default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
       default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
       preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
       dns_lookup_kdc = true
       pkinit_kdc_hostname = <DNS>
       pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
       pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
       pkinit_eku_checking = kpServerAuth
       pkinit_win2k_require_binding = false
       pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so





      linux active-directory powerbroker




      linux active-directory powerbroker






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Dec 30 '16 at 13:16









      Slipeer

      2,98521429




      2,98521429










      asked Dec 30 '16 at 8:25









      XeniozXenioz

      112




      112




















          1 Answer
          1






          active

          oldest

          votes


















          0















          Restricted login list - couldn't resolve srvDomainUsers [40071]




          You should check that the naming of the group Domain Users in the settings PBIS corresponds to how it sees PBIS.
          To do this, run the following command:



          /opt/pbis/bin/enum-groups | grep -i Domain


          Find you Domain Users group name as it displayed and put name of the group to configuration in the same form.






          share|improve this answer























          • I have changed the config option. But I still can not login to console.

            – Xenioz
            Dec 30 '16 at 8:58











          • @xenioz New or same error?

            – Slipeer
            Dec 30 '16 at 8:59











          • The error that i had before is gone but i get this: Dec 30 09:56:14 srv3 login[1736]: pam_sss(login:account): Request to sssd failed. Connection refused Dec 30 09:56:14 srv3 login[1736]: Authentication service cannot retrieve authentication info Dec 30 09:56:15 srv3 login[1742]: PAM (login) illegal module type: sessions Dec 30 09:56:15 srv3 login[1742]: PAM (other) illegal module type: sessions

            – Xenioz
            Dec 30 '16 at 8:59











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f823345%2fpowerbroker-pbis-restricted-login-list-couldnt-resolve-srv-domainusers-400%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0















          Restricted login list - couldn't resolve srvDomainUsers [40071]




          You should check that the naming of the group Domain Users in the settings PBIS corresponds to how it sees PBIS.
          To do this, run the following command:



          /opt/pbis/bin/enum-groups | grep -i Domain


          Find you Domain Users group name as it displayed and put name of the group to configuration in the same form.






          share|improve this answer























          • I have changed the config option. But I still can not login to console.

            – Xenioz
            Dec 30 '16 at 8:58











          • @xenioz New or same error?

            – Slipeer
            Dec 30 '16 at 8:59











          • The error that i had before is gone but i get this: Dec 30 09:56:14 srv3 login[1736]: pam_sss(login:account): Request to sssd failed. Connection refused Dec 30 09:56:14 srv3 login[1736]: Authentication service cannot retrieve authentication info Dec 30 09:56:15 srv3 login[1742]: PAM (login) illegal module type: sessions Dec 30 09:56:15 srv3 login[1742]: PAM (other) illegal module type: sessions

            – Xenioz
            Dec 30 '16 at 8:59















          0















          Restricted login list - couldn't resolve srvDomainUsers [40071]




          You should check that the naming of the group Domain Users in the settings PBIS corresponds to how it sees PBIS.
          To do this, run the following command:



          /opt/pbis/bin/enum-groups | grep -i Domain


          Find you Domain Users group name as it displayed and put name of the group to configuration in the same form.






          share|improve this answer























          • I have changed the config option. But I still can not login to console.

            – Xenioz
            Dec 30 '16 at 8:58











          • @xenioz New or same error?

            – Slipeer
            Dec 30 '16 at 8:59











          • The error that i had before is gone but i get this: Dec 30 09:56:14 srv3 login[1736]: pam_sss(login:account): Request to sssd failed. Connection refused Dec 30 09:56:14 srv3 login[1736]: Authentication service cannot retrieve authentication info Dec 30 09:56:15 srv3 login[1742]: PAM (login) illegal module type: sessions Dec 30 09:56:15 srv3 login[1742]: PAM (other) illegal module type: sessions

            – Xenioz
            Dec 30 '16 at 8:59













          0












          0








          0








          Restricted login list - couldn't resolve srvDomainUsers [40071]




          You should check that the naming of the group Domain Users in the settings PBIS corresponds to how it sees PBIS.
          To do this, run the following command:



          /opt/pbis/bin/enum-groups | grep -i Domain


          Find you Domain Users group name as it displayed and put name of the group to configuration in the same form.






          share|improve this answer














          Restricted login list - couldn't resolve srvDomainUsers [40071]




          You should check that the naming of the group Domain Users in the settings PBIS corresponds to how it sees PBIS.
          To do this, run the following command:



          /opt/pbis/bin/enum-groups | grep -i Domain


          Find you Domain Users group name as it displayed and put name of the group to configuration in the same form.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Dec 30 '16 at 8:33









          SlipeerSlipeer

          2,98521429




          2,98521429












          • I have changed the config option. But I still can not login to console.

            – Xenioz
            Dec 30 '16 at 8:58











          • @xenioz New or same error?

            – Slipeer
            Dec 30 '16 at 8:59











          • The error that i had before is gone but i get this: Dec 30 09:56:14 srv3 login[1736]: pam_sss(login:account): Request to sssd failed. Connection refused Dec 30 09:56:14 srv3 login[1736]: Authentication service cannot retrieve authentication info Dec 30 09:56:15 srv3 login[1742]: PAM (login) illegal module type: sessions Dec 30 09:56:15 srv3 login[1742]: PAM (other) illegal module type: sessions

            – Xenioz
            Dec 30 '16 at 8:59

















          • I have changed the config option. But I still can not login to console.

            – Xenioz
            Dec 30 '16 at 8:58











          • @xenioz New or same error?

            – Slipeer
            Dec 30 '16 at 8:59











          • The error that i had before is gone but i get this: Dec 30 09:56:14 srv3 login[1736]: pam_sss(login:account): Request to sssd failed. Connection refused Dec 30 09:56:14 srv3 login[1736]: Authentication service cannot retrieve authentication info Dec 30 09:56:15 srv3 login[1742]: PAM (login) illegal module type: sessions Dec 30 09:56:15 srv3 login[1742]: PAM (other) illegal module type: sessions

            – Xenioz
            Dec 30 '16 at 8:59
















          I have changed the config option. But I still can not login to console.

          – Xenioz
          Dec 30 '16 at 8:58





          I have changed the config option. But I still can not login to console.

          – Xenioz
          Dec 30 '16 at 8:58













          @xenioz New or same error?

          – Slipeer
          Dec 30 '16 at 8:59





          @xenioz New or same error?

          – Slipeer
          Dec 30 '16 at 8:59













          The error that i had before is gone but i get this: Dec 30 09:56:14 srv3 login[1736]: pam_sss(login:account): Request to sssd failed. Connection refused Dec 30 09:56:14 srv3 login[1736]: Authentication service cannot retrieve authentication info Dec 30 09:56:15 srv3 login[1742]: PAM (login) illegal module type: sessions Dec 30 09:56:15 srv3 login[1742]: PAM (other) illegal module type: sessions

          – Xenioz
          Dec 30 '16 at 8:59





          The error that i had before is gone but i get this: Dec 30 09:56:14 srv3 login[1736]: pam_sss(login:account): Request to sssd failed. Connection refused Dec 30 09:56:14 srv3 login[1736]: Authentication service cannot retrieve authentication info Dec 30 09:56:15 srv3 login[1742]: PAM (login) illegal module type: sessions Dec 30 09:56:15 srv3 login[1742]: PAM (other) illegal module type: sessions

          – Xenioz
          Dec 30 '16 at 8:59

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f823345%2fpowerbroker-pbis-restricted-login-list-couldnt-resolve-srv-domainusers-400%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

          Image
          centralized watchlist Wikipedia:Vital articles Wikipedia дан Jump to navigation Jump to search This is a list of basic subjects for which Wikipedia should have a corresponding high-quality article, and ideally a featured article. It also serves as a centralized watchlist and tracks the status of some of Wikipedia's most essential articles. Ideally this page should list approximately 1,000 of the most vital Wikipedia articles. Мазмуну 1 Biography - Өмүр баян 1.1 Actors, dancers and models - Актёрлор, бийчилер жана моделдер 1.2 Artists and architects - Сүрөтчүлөр жана архитекторлор 1.3 Authors, playwrights and poets - Жазуучулар, драматургдар жана акындар 1.4 Composers and musicians - Композиторлор жана музыканттар 1.5 Explorers and travelers - Изилдөөчүлөр менен саякатчылар 1.6 Film directors and screenwriters - Режиссёрлор жана сценаристтер 1.7 Inventors, scientists and mathematicians - Ойлоп табуучулар, окумуштуулар жана математиктер
          Read more

          Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

          Image
          Barça LassaBAXI ManresaCafés Candelas BreogánDelteco GBCDivina Seguros JoventutHerbalife Gran CanariaIberostar TenerifeKirolbet BaskoniaMonbus ObradoiroMontakit FuenlabradaMoraBanc AndorraMovistar EstudiantesReal MadridSan Pablo BurgosTecnyconta ZaragozaUCAM MurciaUnicajaValencia Basket Club Baloncesto Breogán baloncestoLugoGalicia1966JuanJosé Ramón Varela Portasmáxima categoría1970competicións europeasLiga ACBPavillón MunicipalPazo dos DeportesJesús Lázareliga EBAClub Estudiantes1965Lugobaloncestosegunda divisiónJosé RamónJuan Varela-Portas y Pardo1966Celestino Fernández de la Vega196869primeira divisiónZaragozaprimeira divisiónReal MadridJoventutEstudiantes19701971máxima categoría estatal11 de outubro1970Palacio dos DeportesLugoTenerifeMadridReal MadridAlfredo PérezBreogán19711972TenerifeMadridvascocatalánAlfredo PérezespañolMadridLugoManresa La Casera19741975Asociación de Clubs de Baloncesto1974primeira división1975197621 de decembroJoventuteuropeosLugoEstudiantes MonteverdeC.B. Val
          Read more

          What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company

          Image
          When is the original BFGS algorithm still better than the Limited-Memory version? How well known and how commonly used was Huffman coding in 1979? Inverse-quotes-quine Can the US president have someone sent to jail? Employer wants to use my work email account after I quit, is this legal under German law? Is this a GDPR waiver? Do French speakers not use the subjunctive informally? Low-gravity Bronze Age fortifications Does ultrasonic bath cleaning damage laboratory volumetric glassware calibration? Why do some games show lights shine through walls? Unusual mail headers, evidence of an attempted attack. Have I been pwned? Smooth Julia set for quadratic polynomials Require advice on power conservation for backpacking trip Dimensions of list used in test C-152 carb heat on before landing in hot weather? Is my Rep in Stack-Exchange Form? What happens when your group is victim of a surprise attack but you can't be surprised? How come I was asked by a CBP
          Read more