On 11/16/2012 10:59 AM, Qing Chang wrote:
> just migrated all my user from OpenLDAP and MIT Kerberos to IPA.
> Out of more than 400 users, there are around 10 that have problem
> accessing Samba or Dovecot IMAP or ssh.
> They never have problem login to ipa/ipa/ui/login.html.
> For Dovecot IMAP following error is generated:
> Nov 16 10:15:03 dovecot2 auth: pam_unix(dovecot:auth): authentication
> failure; logname= uid=0 euid=0 tty=dovecot ruser=uesrid rhost=IP
> Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): authentication
> failure; logname= uid=0 euid=0 tty=dovecot ruser=userid rhost=IP
> Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): received for
> user userid: 4 (System error)
There are several things to do:
1) Compare entries of the users that login with no problems and users
that have problems. There might be some attributes different
(absent/present). That might give a hint of what might be wrong. We have
seen some issues in this area related to Samba.
2) Can you please enable the higher debug_level in SSSD and provide the
SSSD logs + sssd.conf that would help to see what is going on with the
user that is failing.
3) Also if you can describe your environment of how all the parts work
together and what are the workflows in which you see the problem/issue.
I am personally not familiar with Dovecot in details so I assume that
Dovecot is configured to use PAM for the authentication and the snippet
above is from that authentication. Is this the correct assumption?
> For Samba, it appears that a mapping request never gets to Samba
> server because
> nothing is logged for a problematic user ID although I have turned on
> excessive logging.
> What is really frustrating is that there is no pattern to be found,
> even my fellow
> Sysadmin's ID is also in trouble.
> Also, in his case, he has no problem with Dovecot. For another user ID
> Samba works
> but not Dovecot. It looks to me there might be some problem with sssd
> on the
> different servers?
> BTW, for at least one user, creating a brand new account for samba did
> not work either,
> while the trick worked for another user:-(.
> Please shed some light on this. I don't mind opening a case with
> RedHat support
> if necessary.
> Red Hat Enterprise Linux Server release 6.3 (Santiago)
> ipa-server.x86_64 2.2.0-16.el6
> sssd.x86_64 1.8.0-32.el6
> sssd-client.x86_64 1.8.0-32.el6
> Freeipa-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list