So it turns out that even though i am not running selinux there was an attempt to create a login file in the /etc/selinux directory ... which was not writable.
(Thu Oct 31 15:54:45 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'cmp12' matched without domain, user is cmp12 (Thu Oct 31 15:54:45 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Thu Oct 31 15:54:45 2013) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [cmp12@default] (Thu Oct 31 15:54:45 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Thu Oct 31 15:54:45 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Thu Oct 31 15:54:45 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: default (Thu Oct 31 15:54:45 2013) [sssd[pam]] [pam_print_data] (0x0100): user: cmp12 (Thu Oct 31 15:54:47 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Thu Oct 31 15:54:47 2013) [sssd[pam]] [remove_selinux_login_file] (0x0040): Could not remove login file /etc/selinux/targeted/logins/cmp12 [30]: Read-only file system (Thu Oct 31 15:54:47 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 24 (Thu Oct 31 15:54:48 2013) [sssd[pam]] [client_recv] (0x0200): Client disconnected! I added the /etc/selinux directory to my ram disk and things work as expected. -Chris On 10/31/2013 02:45 PM, Jakub Hrozek wrote: > On Thu, Oct 31, 2013 at 05:50:10PM +0000, Chris Petty wrote: >> I guess i naively thought i needed it, but i removed the pam_krb libs from >> all the system/password auth sections of test machines and things still work >> as normal. >> >> I still get the same errors on the ro-root machine however: >> >> Oct 31 13:37:13 node48 sshd[5983]: pam_sss(sshd:auth): authentication >> success; logname= uid=0 euid=0 tty=ssh ruser= rhost=hugin.biac.duke.edu >> user=cmp12 >> Oct 31 13:37:13 node48 sshd[5983]: debug1: PAM: password authentication >> accepted for cmp12 >> Oct 31 13:37:13 node48 sshd[5983]: debug1: do_pam_account: called >> Oct 31 13:37:13 node48 sshd[5907]: debug2: channel 0: rcvd adjust 49852 >> Oct 31 13:37:15 node48 sshd[5983]: pam_sss(sshd:account): Access denied for >> user cmp12: 4 (System error) >> Oct 31 13:37:15 node48 sshd[5983]: Failed password for cmp12 from >> 10.136.52.5 port 38218 ssh2 >> Oct 31 13:37:15 node48 sshd[5984]: fatal: Access denied for user cmp12 by >> PAM account configuration >> >> >> (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] >> [sdap_access_filter_get_access_done] (0x0400): Access granted by online >> lookup >> (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [ldb] (0x4000): start ldb >> transaction (nesting: 0) >> (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb >> transaction (nesting: 0) >> (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] >> (0x0400): Performing AD access check for user [cmp12] >> (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] >> (0x4000): User account control for user [cmp12] is [200]. >> (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] >> (0x4000): Expiration time for user [cmp12] is [9223372036854775807]. >> (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [be_pam_handler_callback] >> (0x0100): Backend returned: (0, 0, <NULL>) [Success] > This log snippet doesn't tell us what's wrong, can you take a look if > you see something in the logs? Maybe the pam logs would have some hints > as well. I suspect SSSD attempts to create some temporary file (for > selinux perhaps? Not sure without logs) and fails on read-only FS. > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
