Whoops, I forgot to include the sudo output!
pam_sss_gss: Initializing GSSAPI authentication with SSSD
pam_sss_gss: Switching euid from 0 to 123456789
pam_sss_gss: Trying to establish security context
pam_sss_gss: SSSD User name: sam.morris(a)example.net
pam_sss_gss: User domain:
example.net
pam_sss_gss: User principal: Sam.Morris(a)EXAMPLE.NET
pam_sss_gss: Target name: host(a)myself.ipa.example.net
pam_sss_gss: Using ccache: FILE:/run/user/123456789/krb5cc
pam_sss_gss: Acquiring credentials for principal [Sam.Morris(a)EXAMPLE.NET]
pam_sss_gss: Communication error [3, 32]: Error in service module; Broken pipe
pam_sss_gss: Switching euid from 123456789 to 0
pam_sss_gss: System error [32]: Broken pipe
[sudo] password for sam.morris(a)example.net: ^C
If I run 'klist' at this point, I can see that I've picked up tickets for
krb5tgt/IPA.EXAMPLE.NET(a)EXAMPLE.NET and host/myself.ipa.example.net(a)IPA.EXAMPLE.NET; so I
think the PAM module is working, but sssd_pam doesn't like what it sends and closes
the connection down.
--
Sam Morris <
https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9