AD认证失败 Ubutnu ||用户 4 的访问被拒绝（系统错误）

面对这个问题，尝试了网上提供的所有步骤，但仍然有问题。需要一些专家的解决方案。

ssh -vvv 查看

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /root/.ssh/config
debug1: /root/.ssh/config line 2: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug2: resolving "10.xx.xx.xx" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 10.xx.xx.xx [10.xx.xx.xx] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.10 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 10.xx.xx.xx:22 as 'admin@domain'
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:262
debug3: load_hostkeys: loaded 1 keys from 10.xx.xx.xx
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: [email protected] need=64 dh_need=64
debug1: kex: [email protected] need=64 dh_need=64
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:zlPEDwZal+pYFuwCFeBmY2Mgs5geOuercQB7ZEyDQKc
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:262
debug3: load_hostkeys: loaded 1 keys from 10.xx.xx.xx
debug1: Host '10.xx.xx.xx' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:262
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /root/.ssh/id_rsa (0x5644a36e9d20)
debug2: key: /root/.ssh/id_dsa ((nil))
debug2: key: /root/.ssh/id_ecdsa ((nil))
debug2: key: /root/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 53
debug3: input_userauth_banner
Authorized uses only. All activity may be monitored and reported.debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519
debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
admin@[email protected]'s password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
Authentication failed.

auth.log错误

sshd[3850]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.xx.xx.x  user=admin@domain
sssd_be: GSSAPI client step 1
sssd_be: message repeated 2 times: [ GSSAPI client step 1]
sssd_be: GSSAPI client step 2
sshd[3850]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.xx.xx.x user=admin@domain
sshd[3850]: pam_sss(sshd:account): Access denied for user admin@domain : 4 (System error)
sshd[3850]: Failed password for admin@domain from 10.xx.xx.x port 55746 ssh2
sshd[3850]: fatal: Access denied for user admin@domain by PAM account configuration [preauth]

调试级别=9

(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [main] (0x0400): krb5_child started.
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [unpack_buffer] (0x1000): total buffer size: [175]
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [unpack_buffer] (0x0100): cmd [241] uid [996802749] gid [996800513] validate [false] enterprise principal [true] offline [false] UPN [User@Domain]
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_996802749_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_996802749_bjrJ8r] keytab: [/etc/krb5.keytab]
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [check_use_fast] (0x0100): Not using FAST.
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [switch_creds] (0x0200): Switch user to [996802749][996800513].
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [switch_creds] (0x0200): Switch user to [0][0].
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_996802749_bjrJ8r] and is not active and TGT is  valid.
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [become_user] (0x0200): Trying to become user [996802749][996800513].
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [main] (0x2000): Running as [996802749][996800513].
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [become_user] (0x0200): Trying to become user [996802749][996800513].
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [become_user] (0x0200): Already user [996802749].
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [k5c_setup] (0x2000): Running as [996802749][996800513].
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [main] (0x0400): Will perform online auth
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [Domain]
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.806719: Getting initial credentials for User\@Domain@Domain
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.806812: Sending request (184 bytes) to Domain
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.807040: Sending initial UDP request to dgram 10.xx.xx.xx:88
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.817486: Received answer (189 bytes) from dgram 10.xx.xx.xx:88
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.817693: Response was from master KDC
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.817774: Received error from KDC: -1765328359/Additional pre-authentication required
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.817903: Processing preauth types: 16, 15, 19, 2
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.817989: Selected etype info: etype aes256-cts, salt "Domainuser", params ""
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.845769: AS key obtained for encrypted timestamp: aes256-cts/1B4F
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.846068: Encrypted timestamp (for 1629698693.925620): plain 301AA011180F32303231303832333036303435335AA10502030E1FB4, encrypted D53776067EFD3BAAB0440FF77C31573AF4A0691729A86FB0EF501886D8F0FB284EC39C737341E614CD90CD29AD96D49E713AEE5674FF9EC7
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.846187: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.846234: Produced preauth for next request: 2
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.846304: Sending request (264 bytes) to Domain
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.846496: Sending initial UDP request to dgram 10.xx.xx.xx:88
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.848480: Received answer (90 bytes) from dgram 10.xx.xx.xx:88
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.848626: Response was from master KDC
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.848729: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.848785: Request or response is too big for UDP; retrying with TCP
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.848847: Sending request (264 bytes) to Domain (tcp only)
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.848969: Initiating TCP connection to stream 10.xx.xx.xx:88
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.850037: Sending TCP request to stream 10.xx.xx.xx:88
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.853498: Received answer (1620 bytes) from stream 10.xx.xx.xx:88
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.853604: Terminating TCP connection to stream 10.xx.xx.xx:88
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.853739: Response was from master KDC
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.853835: Processing preauth types: 19
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.853919: Selected etype info: etype aes256-cts, salt "Domainuser", params ""
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.854012: Produced preauth for next request: (empty)
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.854077: AS key determined by preauth: aes256-cts/1B4F
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.854226: Decrypted AS reply; session key is: aes256-cts/EAD7
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_child_krb5_trace_cb] (0x4000): [14106] 1629698693.854331: FAST negotiation: unavailable
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_krb5_expire_callback_func] (0x2000): exp_time: [3394257]
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [get_and_save_tgt] (0x0100): TGT validation is disabled.
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_996802749_XXXXXX]
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal User@Domain in cache collection]
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [create_ccache] (0x4000): Initializing ccache of type [FILE]
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [create_ccache] (0x4000): returning: 0
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [switch_creds] (0x0200): Switch user to [996802749][996800513].
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [switch_creds] (0x0200): Already user [996802749].
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [k5c_send_data] (0x0200): Received error code 0
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [pack_response_packet] (0x2000): response packet size: [150]
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [k5c_send_data] (0x4000): Response sent.
(Mon Aug 23 11:34:53 2021) [[sssd[krb5_child[14106]]]] [main] (0x0400): krb5_child completed successfully