SyntaxHighlighter JS

2017-11-28

Debugging sshd and sssd

After patching a CentOS 7 server with the latest rpms, ssh would not authenticate with Active Directory.

To debug,

1. Become root on the Unix server.
  sudo su -

2. Stop the sshd service (Note: this will not kill your current session)
  systemctl stop sshd

3. Start sshd in debug mode. The debug output will print on the terminal
  /sbin/sshd -d

4. From another terminal, ssh into the server
  ssh username@server

5. The sshd debug messages showed that the username could not get authenticated with AD. The first place to look is sssd (System Security Services Daemon)

6. Restart sssd. Got an error message stating sssd failed to start
  systemctl restart sssd

7. First view the sssd error log status. The logs did not provide much debug info
  systemctl -l status sssd

8. Start sssd in debug mode. The debug output will print on the terminal
  sssd -i -d 4

9. The error message in this case was "PAM unable to dlopen /usr/lib/samba/libreplace-samba4.so: version 'SAMBA_4.4.4 not found"

10. Checked the version of the samba-client. This showed that yum update installed both samba-client 4.4.4 and 4.6.2
  yum --showduplicates list samba-client


11. Reinstalled samba-client to only have one version
   yum remove samba-client
   yum install samba-client


12. sssd now success starts and users can AS authenticate on ssh
  systemctl start sssd
  systemctl start sshd