Mark Haney via FreeIPA-users wrote:
> I've been migrating a lot of our customer boxes from a local install of
> our master LDAP database (yeah, I know) to our IPA servers.  Nearly all
> these boxes are CentOS 6 (we have a smattering of C7 and C5 boxes as
> well) and I've built an ansible playbook to make the migration changes. 
> I've done slightly more than a dozen of these and had no trouble at all,
> until now. This last run I hit two customer servers, one is accessible
> via ssh and can sudo fine. The other, not so much.  I'm getting this
> error in /var/log/secure:
> Sep 26 10:41:12 rad0 sshd[7906]: pam_sss(sshd:auth): received for user
> mark.haney: 4 (System error)
> Since I've not encountered this problem before, I'm totally clueless to
> what to do.  Google says it's likely a Kerberos problem, but that's not
> particularly helpful when the configs between the working server and the
> non-working one are virtually identical.  I'll be glad to spill any logs
> you need and run anything that might help the problem.  Here's what I
> know right now.
> The good server: can ssh and sudo with the credentials above.
> The bad server: cannot ssh or sudo with same credentials. However, I can
> ssh to the box via an unprivileged non-LDAP account (the one used for
> ansible) can sudo to root, then I can sudo to my user account (note: my
> user account doesn't exist locally on ANY of these boxes until IPA is
> installed and configured and I test it) but from that account, I can't
> sudo back to root. It bombs with the above error.
> There's nothing in the sssd logs (literally, they are all empty) and
> nothing strikes me as odd in pam.d and other configs I've looked at. 
> And as I've avoided LDAP nonsense for any servers for over a decade,
> I've no clue to debugging this.
> What can I offer to help get this resolved?

Start with

A System Error often points to HBAC denying the access.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to