My bad.. Should have looked at this before posting.. File permissions for /etc/krb5.conf were 600 for some reason. Changed them back to 644 and that resolved the issue.
Thanks, ~ abhi > On Jul 12, 2017, at 10:27 AM, Abhijit Tikekar <[email protected]> > wrote: > > >> Hi, >> >> We are having some trouble authenticating users via SSSD. Server has an >> established JOIN with the DC and we are able to use “id” and “getent passwd” >> without any issues. But authentication fails with the following messages: >> >> Jul 12 08:38:19 hostname sshd[25967]: pam_sss(sshd:auth): authentication >> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhost.x.y.local >> user=first.last >> Jul 12 08:38:19 hostname sshd[25967]: pam_sss(sshd:auth): received for user >> first.last: 4 (System error) >> Jul 12 08:38:21 hostname sshd[25963]: error: PAM: Permission denied for >> first.last from rhost.x.y.local >> >> >> Under krb5_child.log, we see the following even though the user is a member >> of one of the groups added under “ad_access_filter” >> >> (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_send_pac] >> (0x0040): sss_pac_make_request failed [-1][2]. >> (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [validate_tgt] >> (0x0040): sss_send_pac failed, group membership for user with principal >> [first.last\@[email protected]] might not be correct. >> (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] >> [sss_child_krb5_trace_cb] (0x4000): [25625] 1499864410.696457: Destroying >> ccache MEMORY:rd_req2 >> (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] >> [sss_get_ccache_name_for_principal] (0x4000): Location: >> [FILE:/tmp/krb5cc_233006683_XXXXXX] >> (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] >> [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: >> [-1765328243][Can't find client principal [email protected] in cache >> collection] >> (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [create_ccache] >> (0x0020): 733: [13][Permission denied] >> (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [map_krb5_error] >> (0x0020): 1301: [1432158209][Unknown code UUz 1] >> (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [k5c_send_data] >> (0x0200): Received error code 1432158209 >> >> >> [root@hostname sssd]# net ads testjoin >> Join is OK >> [root@hostname sssd]# net ads info >> LDAP server: X.X.90.128 >> LDAP server name: AD-Server.x.y.local >> Realm: X.Y.LOCAL >> Bind Path: dc=X,dc=Y,dc=LOCAL >> LDAP port: 389 >> Server time: Wed, 12 Jul 2017 09:03:08 CDT >> KDC server: X.X.90.128 >> Server time offset: 0 >> Last machine account password change: Wed, 12 Jul 2017 07:41:59 CDT >> >> >> SSSD Configuration: >> >> [sssd] >> domains = X.Y.LOCAL >> services = nss, pam, sudo >> config_file_version = 2 >> debug_level = 0 >> [nss] >> [pam] >> [sudo] >> debug_level=2 >> [domain/x.y.local] >> debug_level=2 >> ad_server = AD-Server.x.y.local >> auth_provider = ad >> access_provider = ad >> ldap_id_mapping = true >> ldap_use_tokengroups = true >> krb5_realm = X.Y.LOCAL >> ldap_access_order = filter, expire >> ldap_account_expire_policy = ad >> >> ad_access_filter = ……. >> >> cache_credentials = true >> override_homedir = /home/%d/%u >> default_shell = /bin/bash >> ldap_schema = ad >> >> Attached are sssd_x.y.local, krb5_child.log & ldap_child.log (level 10) >> >> Also tried with ad_gpo_access_control = permissive & access_provider = >> permit but that didn’t allow auth either. >> >> Any suggestions are highly appreciated. >> >> Thanks in advance, >> >> ~ Abhi > <krb5_child.log> > <ldap_child.log> > <sssd_x.y.local.log>
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
