I've been migrating a lot of our customer boxes from a local install of our master LDAP database (yeah, I know) to our IPA servers.  Nearly all these boxes are CentOS 6 (we have a smattering of C7 and C5 boxes as well) and I've built an ansible playbook to make the migration changes.  I've done slightly more than a dozen of these and had no trouble at all, until now. This last run I hit two customer servers, one is accessible via ssh and can sudo fine. The other, not so much.  I'm getting this error in /var/log/secure:

Sep 26 10:41:12 rad0 sshd[7906]: pam_sss(sshd:auth): received for user mark.haney: 4 (System error)


Since I've not encountered this problem before, I'm totally clueless to what to do.  Google says it's likely a Kerberos problem, but that's not particularly helpful when the configs between the working server and the non-working one are virtually identical.  I'll be glad to spill any logs you need and run anything that might help the problem.  Here's what I know right now.

The good server: can ssh and sudo with the credentials above.

The bad server: cannot ssh or sudo with same credentials. However, I can ssh to the box via an unprivileged non-LDAP account (the one used for ansible) can sudo to root, then I can sudo to my user account (note: my user account doesn't exist locally on ANY of these boxes until IPA is installed and configured and I test it) but from that account, I can't sudo back to root. It bombs with the above error.

There's nothing in the sssd logs (literally, they are all empty) and nothing strikes me as odd in pam.d and other configs I've looked at.  And as I've avoided LDAP nonsense for any servers for over a decade, I've no clue to debugging this.

What can I offer to help get this resolved?


nss--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.ha...@neonova.net
www.neonova.net
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to