lsa authenticate-user - Error: LW_ERROR_NOT_HANDLED (0x9c51)

Question

lsa authenticate-user - Error: LW_ERROR_NOT_HANDLED (0x9c51)

gluckritz opened this issue 6 years ago · 6 comments

Version: pbis-open-9.0.1.525.linux.x86_64
OS/Distro: Ubuntu 18.04.2 LTS bionic
Issue/Impact: I'm able to join the domain without issue. I'm able to enumerate users, spit out all groups that a user belongs to (using "id ), I find the entry for myself in the enumerated list of users but, I am unable to authenticate against AD.
[~]> sudo /opt/pbis/bin/lsa authenticate-user --user gluckritz
Password:
Error: LW_ERROR_NOT_HANDLED (0x9c51)

Trying to ssh to the box prompts for password until spitting out "Too many authentication failures"

/tmp/lsass.log has numerous lines with Status: LW_STATUS_OBJECT_NA
ME_NOT_FOUND = 0xC0000034 (-1073741772)]

auth.log contains:
Postponed keyboard-interactive for invalid user gluckritz . . .
error: PAM: Authentication failure for illegal user gluckritz . . .

I've gone through the other similar issues that I've found here but have not been able to find anything that works

systemctl status lwsmd.service
lwsmd.service - BeyondTrust AD Bridge Service Manager
Loaded: loaded (/lib/systemd/system/lwsmd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-05-30 11:36:17 EDT; 1h 9min ago
Process: 8168 ExecStop=/opt/pbis/bin/lwsm shutdown (code=exited, status=0/SUCCESS)
Process: 8226 ExecStart=/opt/pbis/sbin/lwsmd --start-as-daemon (code=exited, status=0/SUCCESS)
Main PID: 8228 (lwsmd)
Tasks: 106 (limit: 4661)
CGroup: /system.slice/lwsmd.service
├─8228 /opt/pbis/sbin/lwsmd --start-as-daemon
├─8248 lw-container lwreg
├─8267 lw-container eventlog
├─8284 lw-container netlogon
├─8299 lw-container lwio
├─8316 lw-container lsass
└─8338 lw-container reapsysl

May 30 11:36:17 ev-monitor systemd[1]: Starting BeyondTrust AD Bridge Service Manager...
May 30 11:36:17 ev-monitor /opt/pbis/sbin/lwsmd[8228]: Logging started
May 30 11:36:17 ev-monitor lwreg[8248]: Logging started
May 30 11:36:17 ev-monitor eventlog[8267]: Logging started
May 30 11:36:17 ev-monitor netlogon[8284]: Logging started
May 30 11:36:17 ev-monitor lwio[8299]: Logging started
May 30 11:36:17 ev-monitor lsass[8316]: Logging started
May 30 11:36:17 ev-monitor lsass[8316]: Logging redirected
May 30 11:36:17 ev-monitor reapsysl[8338]: Logging started
May 30 11:36:17 ev-monitor systemd[1]: Started BeyondTrust AD Bridge Service Manager.

/opt/pbis/bin/lwsm list
lwreg running (container: 8248)
dcerpc stopped
eventlog running (container: 8267)
lsass running (container: 8316)
lwio running (container: 8299)
netlogon running (container: 8284)
rdr running (io: 8299)
reapsysl running (container: 8338)
usermonitor stopped
/opt/pbis/bin/domainjoin-cli query
Name = ev-monitor
Domain = my.domain
Distinguished Name = CN=EV-MONITOR,CN=Computers,DC=my,DC=domain
pbis status
LSA Server Status:

Compiled daemon version: 9.0.1.525
Packaged product version: 9.0.525.0
Uptime: 0 days 1 hours 15 minutes 22 seconds

[Authentication provider: lsa-activedirectory-provider]

    Status:        Online
    Mode:          Un-provisioned
    Domain:        my.domain
    Domain SID:    S-1-5-21-2135455515-1890736488-1963001494
    Forest:        my.domain
    Site:          TPA
    Online check interval:  300 seconds
    [Trusted Domains: 1]


    [Domain: my.domain]

            DNS Domain:       my.domain
            Netbios name:     my.domain
            Forest name:      my.domain
            Trustee DNS name: 
            Client site name: TPA
            Domain SID:       S-1-5-21-2135455515-1890736488-1963001494
            Domain GUID:      050d6ea6-ee4b-9241-a1fc-b9e58f7b4d6c
            Trust Flags:      [0x001d]
                              [0x0001 - In forest]
                              [0x0004 - Tree root]
                              [0x0008 - Primary]
                              [0x0010 - Native]
            Trust type:       Up Level
            Trust Attributes: [0x0000]
            Trust Direction:  Primary Domain
            Trust Mode:       In my forest Trust (MFT)
            Domain flags:     [0x0001]
                              [0x0001 - Primary]

            [Domain Controller (DC) Information]

                    DC Name:              picdc1.my.domain
                    DC Address:           172.16.0.21
                    DC Site:              TPA
                    DC Flags:             [0x0001f3fc]
                    DC Is PDC:            no
                    DC is time server:    yes
                    DC has writeable DS:  yes
                    DC is Global Catalog: yes
                    DC is running KDC:    yes

            [Global Catalog (GC) Information]

                    GC Name:              picdc.my.domain
                    GC Address:           172.16.0.22
                    GC Site:              TPA
                    GC Flags:             [0x0001f1fc]
                    GC Is PDC:            no
                    GC is time server:    yes
                    GC has writeable DS:  yes
                    GC is running KDC:    yes

/opt/pbis/bin/enum-users | grep -B5 -A3 "Gary Luckritz"
User info (Level-0):
====================
Name: my.domain\gluckritz
Uid: 501232306
Gid: 501219841
Gecos: Gary Luckritz
Shell: /bin/sh
Home dir: /home/local/my.domain/gluckritz
attach logs

/opt/pbis/bin/lwsm set-log-target -p lsass - file /tmp/lsass.log
/opt/pbis/bin/lwsm set-log-level -p lsass - debug
attach log

Output/Error:
[~]> sudo /opt/pbis/bin/lsa authenticate-user --user gluckritz
Password:
Error: LW_ERROR_NOT_HANDLED (0x9c51)

[~]> ssh gluckritz@ev-monitor.my.domain
Password:
Password:
Received disconnect from 172.16.4.62: 2: Too many authentication failures

Steps to Reproduce:

install command:
chmod 755 pbis-open-9.0.1.525.linux.x86_64.deb.sh
sudo ./pbis-open-9.0.1.525.linux.x86_64.deb.sh
Domainjoin command:
/opt/pbis/bin/domainjoin-cli join my.domain gluckritz
Command that returns issue:
Shown above

Content of lsass.log is at
https://paste.ubuntu.com/p/tCSHH6C2ND/

Answer 1 · 2019-05-30T18:00:46.000Z

what does your nsswitch file look like

Answer 2 · 2019-05-30T18:56:40.000Z

/etc/nsswitch.conf

Example configuration of GNU Name Service Switch functionality.

If you have the `glibc-doc-reference' and` info' packages installed, try:

`info libc "Name Service Switch"' for information about this file.

passwd: compat systemd lsass
group: compat systemd lsass
shadow: compat
gshadow: files

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

Thanks for a quick response. I've been fighting with this for over a week now so, any insight as to what the issue might be is greatly appreciated

Answer 3 · 2019-06-04T12:55:18.000Z

Any chance anybody might have run into the same issue and, possibly found a resolution?

Answer 4 · 2019-06-04T18:30:23.000Z

Does 8.8.0 work for you?

Answer 5 · 2019-07-01T15:51:14.000Z

Sorry for the long delay responding; got pulled in another direction
We have several other servers running with pbis-open-8.3.0.3287 so, I started there. That worked without issue right off the bat so, I reverted the VM from a snapshot and installed pbis-open-8.8.0.506
This also had no issues authenticating users after joining the domain

I won't have any time to dig into the underlying issue with 9.0.x for a while but, thank you for taking the time to respond. Again, apologies . . .

Answer 6 · 2019-07-03T15:54:31.000Z

9.0.2 is out now. It has a fix for 9.0.1 that might have been your issue.

/etc/nsswitch.conf

Example configuration of GNU Name Service Switch functionality.

If you have the glibc-doc-reference' and info' packages installed, try:

`info libc "Name Service Switch"' for information about this file.

If you have the `glibc-doc-reference' and` info' packages installed, try: