For what its worth, my issue was resolved when I rebooted the server.

Restarting sssd and/or clearing it's cache did not do it, but a full reboot
seems to have done it. Something much have been cached or some temp file I
missed. Will need to look into it further as I have a number of servers yet
to be upgraded and having to reboot linux servers to do an upgrade seem
sacrilegious...

-M

On Thu, Nov 6, 2014 at 9:26 PM, David Taylor <david.tay...@speedcast.com>
wrote:

>  As an add on, I’ve upgraded our Xen template to 6.6 and run up a new VM
> using that and it attaches to the IPA environment perfectly well, so I’m
> guessing it is an issue with the upgrade scripts.
>
>
>
>
>
> Best regards
>
> *David Taylor*
>
>  *From:* Michael Lasevich [mailto:mlasev...@gmail.com]
> *Sent:* Friday, 7 November 2014 4:00 PM
> *To:* Jakub Hrozek
> *Cc:* David Taylor; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Centos IPA Client fails after upgrade to
> 6.6
>
>
>
> I am seeing somewhat similar behavior once upgrading from sssd 1.9 to 1.11
> (centos 6.5 to 6.6)
>
>
>
> I seem to be able to log in via ssh, but when I use http pam service, I
> get inconsistent behavior - seems like sometimes it works and others it
> errors out (success and failure can happen within a second)
>
>
>
> In the logs I see things like:
>
>
>
> [sssd[krb5_child[15410]]]: Internal credentials cache error
>
> and
>
> authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=
> user=username
> received for user username: 4 (System error)
>
> Nothing in the audit.log that I can see
>
> I am guessing this is an sssd issue but I am hoping someone here knows how
> to deal with it.
>
> IN case it matters - here is the pam config:
>
> auth        required      pam_env.so
> auth        sufficient    pam_sss.so
> auth        required      pam_deny.so
>
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3 type=
> password    sufficient    pam_sss.so use_authtok
> password    required      pam_deny.so
>
>
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     optional      pam_oddjob_mkhomedir.so
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     optional      pam_sss.so
>
> -M
>
>
>
> On Wed, Nov 5, 2014 at 1:05 AM, Jakub Hrozek <jhro...@redhat.com> wrote:
>
>  On Wed, Nov 05, 2014 at 02:30:55AM +0000, David Taylor wrote:
> > Thanks for the reply. The PAM file is pretty stock for a centos build
> >
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth        required      pam_env.so
> > auth        sufficient    pam_unix.so nullok try_first_pass
> > auth        requisite     pam_succeed_if.so uid >= 500 quiet
> > auth        sufficient    pam_sss.so use_first_pass
> > auth        required      pam_deny.so
> >
> > account     required      pam_unix.so
> > account     sufficient    pam_localuser.so
> > account     sufficient    pam_succeed_if.so uid < 500 quiet
> > account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> > account     required      pam_permit.so
> >
> > password    requisite     pam_cracklib.so try_first_pass retry=3 type=
> > password    sufficient    pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> > password    sufficient    pam_sss.so use_authtok
> > password    required      pam_deny.so
> >
> > session     optional      pam_keyinit.so revoke
> > session     required      pam_limits.so
> > session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> > session     required      pam_unix.so
> > session     optional      pam_sss.so
> >
> >
> > Best regards
> > David Taylor
>
> OK, so pam_sss is there ...
>
> And yet you see no mention of pam_sss.so in /var/log/secure ?
>
> Is this the file that was included from the service-specific PAM
> configuration?
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to