On Sun, Jan 27, 2013 at 02:23:03PM -0800, C. S. wrote: > Hi folks, > > Any help here would be appreciated, I don't seem to see what the issue is. > I can login using kinit just fine,
Right, kinit bypasses the PAM stacks and talks directly to the libkrb5 and the kdc. > but sssd fails when using ssh. It seems > like it has something to do with the files in /var/lib/sss/pubconf going > missing, which causes sssd-krb5 to fail with: Cannot find KDC for requested > realm. Yes, I think so too, but what puzzles me is that resolving went OK, then the kdcinfo files are written. Unfortunately there is no debug output unless there is an error, so we can't see the realm etc.. The "No such file or directory" errors indicate that the krb5info files are indeed missing. Are there perhaps any AVC denials when the SSSD is attempting to write the kdcinfo files? Are you sure there is no typo in the realm name? Can you also kinit on the client machine, in other words, if you were testing by ssh testuser@testhost, can you kinit on testhost? What also seems strange to me is that if krb5.conf was configured correctly on the client machine, then I would expect the krb5 child process to use the KDC info from the krb5.conf file..by the time we reach the child process, it's mostly standard krb5 library calls. > > This is CentOS 6, sssd-1.8.0-32.el6.x86_64. > > e.g. kinit logins works: > [testuser@test01 ~]$ kinit > Password for [email protected]: > Warning: Your password will expire in 41 days on Sun Mar 10 19:01:44 2013 > [testuser@test01 ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_501 > Default principal: [email protected] > > Valid starting Expires Service principal > 01/27/13 22:13:00 01/28/13 08:13:00 krbtgt/[email protected] > renew until 02/03/13 22:12:53 > [testuser@test01 ~]$ > > > But over ssh: > > /var/log/secure: > Jan 27 21:57:03 test1 sshd[2882]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.74.34.39 > user=testuser > Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): system info: [Cannot > find KDC for requested realm] > Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.74.34.39 > user=testuser > Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): received for user > testuser: 4 (System error) > Jan 27 21:57:05 test1 sshd[2882]: Failed password for testuser from > 10.74.34.39 port 55143 ssh2 > Jan 27 21:57:11 test1 sshd[2883]: Connection closed by 10.74.34.39 > > sssd -i -d9 + SSSD_KRB5_LOCATOR_DEBUG=1 output: Thank you for providing the detailed debug logs. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
