On Thu, Jan 04, 2018 at 11:30:22AM +0100, Johan Vermeulen via FreeIPA-users 
wrote:
> Hello,
> 
> apologies for the late reply, due to the holidays.
> 
> I had a call from a user this morning, she had to do multiple login
> attempts and reboot several times before she could login.
> 
> Trying to follow
> https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
> 
> I assume the general setup works, as troubles only show up when password
> expires.
> On the  users laptop:
> 
> [root@lremijsen ~]# systemctl status sssd
> ● sssd.service - System Security Services Daemon
>    Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor
> preset: disabled)
>   Drop-In: /etc/systemd/system/sssd.service.d
>            └─journal.conf
>    Active: active (running) since do 2018-01-04 08:42:01 CET; 2h 35min ago
>   Process: 730 ExecStart=/usr/sbin/sssd -D -f (code=exited,
> status=0/SUCCESS)
>  Main PID: 757 (sssd)
>    CGroup: /system.slice/sssd.service
>            ├─757 /usr/sbin/sssd -D -f
>            ├─767 /usr/libexec/sssd/sssd_be --domain network.cawdekempen.be
> --uid 0 --gid 0 --debug-to-files
>            ├─774 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
>            ├─775 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0
> --debug-to-files
>            ├─776 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
>            ├─777 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
>            └─778 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
> 
> jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 1
> jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 2
> jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 1
> jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 1
> jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 1
> jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 2
> jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 1
> jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 1
> jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 1
> jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
> client step 2
> 
> In /var/log/secure there is always a clear message that the password is
> expired:
> 
> Jan  4 10:06:13 lremijsen mate-screensaver-dialog:
> pam_sss(mate-screensaver:auth): authentication failure; logname=
> uid=382900705 euid=382900705 tty=:0.0 ruser= rhost= user=lremijsen
> Jan  4 10:06:13 lremijsen mate-screensaver-dialog:
> pam_sss(mate-screensaver:auth): received for user lremijsen: 12
> (Authenticatietoken is niet langer geldig; nieuwe is vereist)
> Jan  4 10:06:14 lremijsen mate-screensaver-dialog:
> pam_sss(mate-screensaver:account): User info message: Wachtwoord verlopen.
> Verander nu uw wachtwoord.
> 
>     sssd_pam.log only shows:
> 
> (Tue Jan  2 13:05:46 2018) [sssd[pam]] [orderly_shutdown] (0x0010):
> SIGTERM: killing children
> 
>    sssd_network.cawdekempen.be.log only shows:
> 
> (Tue Jan  2 13:05:46 2018) [sssd[be[network.cawdekempen.be]]]
> [orderly_shutdown] (0x0010): SIGTERM: killing children
> 
> I suppose I have to increase the log levels?

Yes, by default, SSSD doesn't log much. I think you would need
especially the pam and domain service debug logs.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
  • [Freeipa-users] Cen... Johan Vermeulen via FreeIPA-users
    • [Freeipa-users... Stephen Berg (Contractor, Code 7320) via FreeIPA-users
    • [Freeipa-users... Jakub Hrozek via FreeIPA-users
      • [Freeipa-u... Johan Vermeulen via FreeIPA-users
        • [Freei... Jakub Hrozek via FreeIPA-users
          • [F... Jakub Hrozek via FreeIPA-users
            • ... Johan Vermeulen via FreeIPA-users
              • ... Jakub Hrozek via FreeIPA-users
                • ... Johan Vermeulen via FreeIPA-users
                • ... Jakub Hrozek via FreeIPA-users

Reply via email to