Hi,
If it works right after joining, then I wouldn't expect anything in your
config. would be wrong. 'debug_level = 7' in your [domain] section will
tell more. Does the following command clear the issue for some time?
# service sssd stop ; rm -rf /var/lib/sss/db/* ; service sssd start
Also, you have some duplicates in your config. Since 'auth_provider'
and 'chpass_provider' is the same as 'id_provider', you do not actually
need to specify them.
Striker
On 03/21/2016 12:25 PM, Christoph Kaunzner wrote:
> Hi all,
>
> I'm trying to setup AD authentication via sssd.
> With freshly joined machines login works as expected, however after
> some (seemingly) arbitrary time login fail with this error in
> /var/log/secure log:
>
> sshd[22264]: pam_sss(sshd:auth): received for user <username>: 4
> (System error)
>
> I've yet to gather a debug log when this happens but as our complete
> linux environment depends on this, so maybe someone can already point
> out my mistake.
>
> Here is the /etc/sssd/sssd.conf:
>
> [sssd]
> domains = some.domain.com
> services = nss, pam
> config_file_version = 2
> sbus_timeout = 30
> reconnection_retries = 3
>
> [nss]
> reconnection_retries = 3
>
> [pam]
> reconnection_retries = 3
>
> [domain/some.domain.com]
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> chpass_provider = ad
> dns_discovery_domain = some.domain.com
> ldap_id_mapping = False
> cache_credentials = true
> ldap_referrals = false
> ldap_force_upper_case_realm = true
> ad_enable_dns_sites = true
> dyndns_update = false
> case_sensitive = Preserving
> ad_access_filter = DOM:some.domain.com:(<ldap_filter>)
>
>
> Here is the /etc/krb5.conf:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> kdc_rotate = {
> period = 1d
> versions = 10
> }
>
> [libdefaults]
> default_realm = SOME.DOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> rdns = false
> forwardable = true
>
> [domain_realm]
> .some.domain.com = SOME.DOMAIN.COM
> some.domain.com = SOME.DOMAIN.COM
>
> [appdefaults]
> kinit = {
> renewable = true
> forwardable= true
> }
>
>
> pam has been configured via authconfig and looks like this:
>
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 1000 quiet
> auth sufficient pam_sss.so use_first_pass
> auth required pam_deny.so
> account required pam_access.so
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
> password requisite pam_cracklib.so try_first_pass retry=3 type=
> password sufficient pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session optional pam_mkhomedir.so umask=0022 skel=/etc/skel/
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_sss.so
>
>
> Servers are joined via net ads like this:
> net ads join createcomputer="OU=Servers,DC=Some,DC=Domain,DC=com"
> osName=RHEL osVer=6 -U<admin_user>%<pw>
> net ads keytab create -U<admin_user>%<pw>
>
>
> OS is RHEL 6.7 with sssd version 1.12.4-47.el6_7.4.
>
> Many Thanks in advance,
> Christoph
>
>
>
>
>
>
> _______________________________________________
> sssd-users mailing list
> [email protected]
> https://lists.fedorahosted.org/admin/lists/[email protected]
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/admin/lists/[email protected]
