Authentication Failures on Linux with Active DirectoryΒΆ
You may see authentication problems with Jetstream server on Linux systems that integrate with Active Directory using SSSD. The error reported on the system running Jetstream server will be:
jetstream[23999]: pam_unix(jetstream:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=jsmith
jetstream[23999]: pam_sss(jetstream:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=jsmith
jetstream[23999]: pam_sss(jetstream:account): Access denied for user jsmith: 6 (Permission denied)
jetstream[23999]: pam_acct_mgmt: Permission denied
This happens because SSSD does not know how to map the Jetstream service to the Active Directory Group Policy Object. To fix this:
- Append the following line to
/etc/sssd/sssd.conf
:ad_gpo_map_network = +jetstreamThis will tell SSSD to treat
jetstream
as a network service, and will be evaluated against the GPO using theNetworkLogonRight
andDenyNetworkLogonRight
policy settings.
- Clear the SSSD cache: sss_cache -E
- Restart the SSSD service: systemctl restart sssd