Mark Haney via FreeIPA-users wrote: > I've been migrating a lot of our customer boxes from a local install of > our master LDAP database (yeah, I know) to our IPA servers. Nearly all > these boxes are CentOS 6 (we have a smattering of C7 and C5 boxes as > well) and I've built an ansible playbook to make the migration changes. > I've done slightly more than a dozen of these and had no trouble at all, > until now. This last run I hit two customer servers, one is accessible > via ssh and can sudo fine. The other, not so much. I'm getting this > error in /var/log/secure: > > Sep 26 10:41:12 rad0 sshd: pam_sss(sshd:auth): received for user > mark.haney: 4 (System error) > > Since I've not encountered this problem before, I'm totally clueless to > what to do. Google says it's likely a Kerberos problem, but that's not > particularly helpful when the configs between the working server and the > non-working one are virtually identical. I'll be glad to spill any logs > you need and run anything that might help the problem. Here's what I > know right now. > > The good server: can ssh and sudo with the credentials above. > > The bad server: cannot ssh or sudo with same credentials. However, I can > ssh to the box via an unprivileged non-LDAP account (the one used for > ansible) can sudo to root, then I can sudo to my user account (note: my > user account doesn't exist locally on ANY of these boxes until IPA is > installed and configured and I test it) but from that account, I can't > sudo back to root. It bombs with the above error. > > There's nothing in the sssd logs (literally, they are all empty) and > nothing strikes me as odd in pam.d and other configs I've looked at. > And as I've avoided LDAP nonsense for any servers for over a decade, > I've no clue to debugging this. > > What can I offer to help get this resolved?
Start with https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html A System Error often points to HBAC denying the access. rob _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org