Article Number
000068148
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for PAM
O/S Version: RHEL
Issue
When a user authenticates using PAM with the RSA Token or a Fixed Passcode, the authentication attempt fails.
Cause
The Root Cause of the issue is in the connection between the LDAP and the Linux machines when checking the sssd configuration using the realm list found that the Users login format is %U@mydomain.local
realm list
example.com
type: kerberos
realm-name: EXAMPLE.COM
domain-name: example.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@example.com
login-policy: allow-realm-logins
From /var/log/secure logs, user will be seen as an invalid user as shown for rsatest user
Mar 28 01:16:25 pam sshd[6769]: Invalid user rsatest from ::1 port 52404
Mar 28 01:16:25 pam sshd[6769]: Postponed keyboard-interactive for invalid user rsatest from ::1 port 52404 ssh2 [preauth]
Mar 28 01:16:28 pam sshd[6772]: pam_unix(sshd:auth): check pass; user unknown
Mar 28 01:16:28 pam sshd[6772]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1
Mar 28 01:16:28 pam sshd[6769]: Postponed keyboard-interactive/pam for invalid user rsatest from ::1 port 52404 ssh2 [preauth]
Mar 28 01:16:52 pam sshd[6769]: error: PAM: Authentication failure for illegal user rsatest from ::1
Mar 28 01:16:52 pam sshd[6769]: Failed keyboard-interactive/pam for invalid user rsatest from ::1 port 52404 ssh2
Mar 28 01:16:52 pam sshd[6769]: Postponed keyboard-interactive for invalid user rsatest from ::1 port 52404 ssh2 [preauth]
Resolution
When checking the sssd configuration with the realm list found that:
the login-formats was %U@mydomain.local. modified it to %U, the authentication became successful.
- cd /etc/sssd
- vim sssd.conf
- Change the login format: use_fully_qualified_names = True to False.
- Restart sssd services > systemctl restart sssd.service