Authentication Failures on Linux with Active DirectoryΒΆ

You may see authentication problems with JetStream server on Linux systems that integrate with Active Directory using SSSD. The error reported on the system running JetStream server will be:

jetstream[23999]: pam_unix(jetstream:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=jsmith
jetstream[23999]: pam_sss(jetstream:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=jsmith
jetstream[23999]: pam_sss(jetstream:account): Access denied for user jsmith: 6 (Permission denied)
jetstream[23999]: pam_acct_mgmt: Permission denied

This happens because SSSD does not know how to map the JetStream service to the Active Directory Group Policy Object. To fix this:

  1. Append the following line to /etc/sssd/sssd.conf:
ad_gpo_map_network = +jetstream

This will tell SSSD to treat jetstream as a network service, and will be evaluated against the GPO using the NetworkLogonRight and DenyNetworkLogonRight policy settings.

  1. Clear the SSSD cache: sss_cache -E
  2. Restart the SSSD service: systemctl restart sssd