On 10/31/2013 11:29 AM, Chris Petty wrote: > I have a working config on multiple machines, now i am taking this > config to our computing cluster, which i manage with oneSIS. > > It has ro root with various nfs mounts for writable locations and other > pieces in an actual ramdisk at bootup. > /var/lib/sss has a writable location in the ram disk > > When i have my / drive mounted as ro , pam_sss/sshd rejects my login ( > after i've it tells me that i've authenticated successfully and i get a > kerberos ticket ) > > If I remount the root filesystem rw, everything works as expected. If i > remove the sss line from my pam.d/password-auth, everything also works, > even in ro because i am not using the piece that's throwing the System > error. > "account [default=bad success=ok user_unknown=ignore] pam_sss.so" > > Any advice on how to make this work would be greatly appreciated. My > same sssd.conf is working fine on various other machines without the ro > root. > -Chris > > some snippets from the logs .. i truncated things because i have sssd > and pam at very high levels of logging for now. > from secure log: > Oct 31 10:53:32 node48 sshd[5843]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost user=cmp12 > Oct 31 10:53:33 node48 sshd[5843]: pam_sss(sshd:auth): authentication > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost user=cmp12 > Oct 31 10:53:33 node48 sshd[5843]: debug1: PAM: password authentication > accepted for cmp12 > Oct 31 10:53:33 node48 sshd[5843]: debug1: do_pam_account: called > Oct 31 10:53:33 node48 sshd[5843]: pam_sss(sshd:account): Access denied > for user cmp12: 4 (System error) > . > . get a valid krb5 ticket from the server > . > Oct 31 10:53:34 node48 sshd[5843]: pam_krb5[5843]: pam_acct_mgmt > returning 0 (Success) > Oct 31 10:53:34 node48 sshd[5843]: Failed password for cmp12 from > 10.136.52.5 port 42199 ssh2 > Oct 31 10:53:34 node48 sshd[5844]: fatal: Access denied for user cmp12 > by PAM account configuration > > > from sssd_default.log: > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler] > (0x0100): Got request with the following data > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] > (0x0100): command: PAM_ACCT_MGMT > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] > (0x0100): domain: default > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] > (0x0100): user: cmp12 > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] > (0x0100): service: sshd > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] > (0x0100): tty: ssh > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] > (0x0100): ruser: > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] > (0x0100): rhost: hugin.biac.duke.edu > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] > (0x0100): authtok type: 0 > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] > (0x0100): authtok size: 0 > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] > (0x0100): newauthtok size: 0 > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] > (0x0100): priv: 1 > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] > (0x0100): cli_pid: 5865 > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [sdap_access_send] > (0x0400): Performing access check for user [cmp12] > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [sdap_account_expired_ad] > (0x0400): Performing AD access check for user [cmp12] > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [sdap_account_expired_ad] > (0x4000): User account control for user [cmp12] is [200]. > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [sdap_account_expired_ad] > (0x4000): Expiration time for user [cmp12] is [9223372036854775807]. > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 0, <NULL>) [Success] > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler_callback] > (0x0400): SELinux provider doesn't exist, not sending the request to it. > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler_callback] > (0x0100): Sending result [0][default] > (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler_callback] > (0x0100): Sent result [0][default] > > > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Why do you have pam_krb5 in picture at all? I am not sure this is the cause of the problem but this seems odd. What version of SSSD we are talking about? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
