On Thu, Oct 31, 2013 at 05:50:10PM +0000, Chris Petty wrote: > > I guess i naively thought i needed it, but i removed the pam_krb libs from > all the system/password auth sections of test machines and things still work > as normal. > > I still get the same errors on the ro-root machine however: > > Oct 31 13:37:13 node48 sshd[5983]: pam_sss(sshd:auth): authentication > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=hugin.biac.duke.edu > user=cmp12 > Oct 31 13:37:13 node48 sshd[5983]: debug1: PAM: password authentication > accepted for cmp12 > Oct 31 13:37:13 node48 sshd[5983]: debug1: do_pam_account: called > Oct 31 13:37:13 node48 sshd[5907]: debug2: channel 0: rcvd adjust 49852 > Oct 31 13:37:15 node48 sshd[5983]: pam_sss(sshd:account): Access denied for > user cmp12: 4 (System error) > Oct 31 13:37:15 node48 sshd[5983]: Failed password for cmp12 from 10.136.52.5 > port 38218 ssh2 > Oct 31 13:37:15 node48 sshd[5984]: fatal: Access denied for user cmp12 by PAM > account configuration > > > (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] > [sdap_access_filter_get_access_done] (0x0400): Access granted by online lookup > (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [ldb] (0x4000): start ldb > transaction (nesting: 0) > (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb > transaction (nesting: 0) > (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] > (0x0400): Performing AD access check for user [cmp12] > (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] > (0x4000): User account control for user [cmp12] is [200]. > (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] > (0x4000): Expiration time for user [cmp12] is [9223372036854775807]. > (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 0, <NULL>) [Success]
This log snippet doesn't tell us what's wrong, can you take a look if you see something in the logs? Maybe the pam logs would have some hints as well. I suspect SSSD attempts to create some temporary file (for selinux perhaps? Not sure without logs) and fails on read-only FS. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
