After upgrading to 10.3 - 10.4.0.1 , the domain user fails to log in to the Web UI with the error message "Authentication failed"

Problem

After upgrading to 10.3 - 10.4.0.1, the domain user fails to log in to the Web UI.

Error Message

Error seen on the WebUI:

Authentication failed

nbatd Logs

MM/DD/YYYY HH:MM:SS.313 [debugmsgs] (client_handler.cpp:330) nbpas_pam_authenticate : authentication failure (from nbpas), user=XXXXX retval=160
MM/DD/YYYY HH:MM:SS.313 [debugmsgs] (client_handler.cpp:330) process_pam_auth_resp : Extracted uname: [XXXX] authrv: [7] acctrv: [7] from <160
XXXXX 7 7>
MM/DD/YYYY HH:MM:SS.314 [debugmsgs] (authpam.cpp:309) SvcAcct: nbpas_pam_authenticate() for <XXXXX> status=160 authrv=7 acctrv=7

nbwebservice Logs

MM/DD/YYYY HH:MM:SS.935 [com.netbackup.security.rbac.at.identity.VxATDirectoryService] EAT_LOG:(at_client_protocol.c,6912)Entity validation failed
MM/DD/YYYY HH:MM:SS.935 [com.netbackup.security.rbac.at.identity.VxATDirectoryService] EAT_LOG:(vrtscomm_api.c,1254)SecConnClose: closing the session <bac0e578>
MM/DD/YYYY HH:MM:SS.936 [com.netbackup.security.rbac.at.identity.VxATDirectoryService] EAT_LOG:(sslconn.c,1133)SSL_shutdown retried. status 1,
MM/DD/YYYY HH:MM:SS.936 [com.netbackup.security.rbac.at.identity.VxATDirectoryService] EAT_LOG:(sslconn.c,1142)SSL_shutdown status 1, err 0, errno 0
MM/DD/YYYY HH:MM:SS.936 [com.netbackup.security.rbac.at.identity.VxATDirectoryService] EAT_LOG:(sslconn.c,716)freeing SSL <99dcbb40>
MM/DD/YYYY HH:MM:SS.936 [com.netbackup.security.rbac.at.identity.VxATDirectoryService] EAT_LOG:(sslconn.c,722)freeing SSL_CTX <bac0cf80>
MM/DD/YYYY HH:MM:SS.937 [com.netbackup.security.rbac.at.identity.VxATDirectoryService] EAT_LOG:(at_utils.c,236) ERROR STACK REPORT BEGIN
MM/DD/YYYY HH:MM:SS.937 [com.netbackup.security.rbac.at.identity.VxATDirectoryService] EAT_LOG:(at_utils.c,240) Frame :0
MM/DD/YYYY HH:MM:SS.937 [com.netbackup.security.rbac.at.identity.VxATDirectoryService] EAT_LOG:(at_utils.c,250) File: at_client_api.c:1900
MM/DD/YYYY HH:MM:SS.937 [com.netbackup.security.rbac.at.identity.VxATDirectoryService] EAT_LOG:(at_utils.c,253) Error data: vrtsAtValidatePrplWithoutGroupInfo
MM/DD/YYYY HH:MM:SS.937 [com.netbackup.security.rbac.at.identity.VxATDirectoryService] EAT_LOG:(at_utils.c,263) ERROR STACK REPORT END
MM/DD/YYYY HH:MM:SS.937 [com.netbackup.security.rbac.at.identity.VxATDirectoryService] com.netbackup.security.rbac.at.identity.VxATDirectoryService Failed to
validate the principal user: xxxx, domain name: xxxx, domain type: ldap, error: The principal or group does not exist(603b)
MM/DD/YYYY HH:MM:SS.937 [com.netbackup.security.rbac.at.identity.VxATDirectoryService] validatePrincipalWithoutGroupInfo entering
MM/DD/YYYY HH:MM:SS.937 [com.netbackup.security.rbac.at.identity.VxATDirectoryService] Creating AtDomainInfo object.
MM/DD/YYYY HH:MM:SS.937 [com.netbackup.security.rbac.at.identity.VxATDirectoryService] createDomainInfo, domainName: xxxx, DomainType:unixpwd
MM/DD/YYYY HH:MM:SS.938 [com.netbackup.security.rbac.at.identity.VxATDirectoryService] Creating userInfo object for user: xxxx
MM/DD/YYYY HH:MM:SS.938 [com.netbackup.security.rbac.at.identity.VxATDirectoryService] createUserInfo, UserName: xxxx, Domain Name: xxxx

Cause

The error is caused by the Active Directory domain name not being used during authentication.

Solution

This issue has been resolved in 10.5 and higher versions.

Workaround for 10.3

1. Edit the sssd.conf file:
   # vi /etc/sssd/sssd.conf
2. Under the [SSSD] stanza, add the following line:
   default_domain_suffix = <domain name of AD>
3. Restart SSSD after updating the sssd.conf file:
   # systemctl restart sssd
4. Test that the modification was successful:
   # id <AD username without domain>
   (Note: It should come back with all the groups the user is part of)
5. If step 4 is successful, proceed with logging in to the WebUI using only the username without the domain.

For versions 10.3.0.1 - 10.4.0.1 contact support and request the appropriate EEB:

• 10.3.0.1: EEB 4154693
• 10.4:       EEB 4161752  
• 10.4.0.1: EEB 4167545