I've been migrating a lot of our customer boxes from a local install of
our master LDAP database (yeah, I know) to our IPA servers. Nearly all
these boxes are CentOS 6 (we have a smattering of C7 and C5 boxes as
well) and I've built an ansible playbook to make the migration changes.
I've done slightly more than a dozen of these and had no trouble at all,
until now. This last run I hit two customer servers, one is accessible
via ssh and can sudo fine. The other, not so much. I'm getting this
error in /var/log/secure:
Sep 26 10:41:12 rad0 sshd[7906]: pam_sss(sshd:auth): received for user
mark.haney: 4 (System error)
Since I've not encountered this problem before, I'm totally clueless to
what to do. Google says it's likely a Kerberos problem, but that's not
particularly helpful when the configs between the working server and the
non-working one are virtually identical. I'll be glad to spill any logs
you need and run anything that might help the problem. Here's what I
know right now.
The good server: can ssh and sudo with the credentials above.
The bad server: cannot ssh or sudo with same credentials. However, I can
ssh to the box via an unprivileged non-LDAP account (the one used for
ansible) can sudo to root, then I can sudo to my user account (note: my
user account doesn't exist locally on ANY of these boxes until IPA is
installed and configured and I test it) but from that account, I can't
sudo back to root. It bombs with the above error.
There's nothing in the sssd logs (literally, they are all empty) and
nothing strikes me as odd in pam.d and other configs I've looked at.
And as I've avoided LDAP nonsense for any servers for over a decade,
I've no clue to debugging this.
What can I offer to help get this resolved?
nss--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.haney(a)neonova.net
www.neonova.net