4

Platforms: Oracle Linux 5, Oracle Linux 6 PowerbrokerOpen V7.01

What we want to happen: Users are able to login to the Linux command line using their Active Directory username and password.

What's happening now: Users are logging in with their AD login, and are no longer being prompted for a password

What changed: The Linux machines were migrated from the domain "MYCOMPANY.NET" to "MYCOMPANY.LOCAL" as the "MYCOMPANY.NET domain will be removed.

This is output in /var/log/secure from a machine that has not migrated yet:

Feb 11 14:51:07 prdsrv101 sshd[32690]: Accepted keyboard-interactive/pam for davthac  from 10.53.25.44 port 53561 ssh2
Feb 11 14:51:07 prdsrv01 sshd[32690]: pam_unix(sshd:session): session opened for user davthac by (uid=0)

This is output in /var/log/secure from a machine that has been migrated:

Feb 11 14:57:00 tstivxapp01 sshd[10161]: Authorized to davthac, krb5 principal [email protected] (krb5_kuserok)
Feb 11 14:57:00 tstivxapp01 sshd[10161]: Accepted gssapi-with-mic for davthac from 10.53.25.44 port 53777 ssh2
Feb 11 14:57:00 tstivxapp01 sshd[10161]: pam_unix(sshd:session): session opened for user davthac by (uid=0)

It looks like the authentication method was changed, but we made no configuration changes to Powerbroker other than leaving MYCOMPANY.NET and joining MYCOMPANY.LOCAL.

What do I need to do to get the password prompt back?

Thanks in advance

Dave

Improve this question
2
  • 1
    Not sure enough to write an Answer, but it looks like your Linux systems are now using SSO. In /etc/sshd_config try setting UsePAM yes, PasswordAuthentication yes, GSSAPIAuthentication no, and KerberosAuthentication yes (although possibly no) and restarting sshd. DO NOT LOG OUT OF YOUR ROOT SHELL until you know you can log back in again! Commented Feb 11, 2015 at 23:54
  • I guess the Linux servers were somehow blocked from accessing the Kerberos services of the old AD domain, making the GSSAPI authentication impossible. The new domain had no such restriction, and so GSSAPI auth started working without any explicit configuration. Commented Dec 27, 2024 at 11:02

1 Answer 1

Reset to default
0

Had to disable GSSAPIAuthentication in /etc/sshd/sshd_configfile. This worked for me too as shown below.

grep GSSA /etc/ssh/sshd_config
# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
# GSSAPI options
GSSAPIAuthentication no
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.