I guess i naively thought i needed it, but i removed the pam_krb libs from all the system/password auth sections of test machines and things still work as normal.
I still get the same errors on the ro-root machine however:
Oct 31 13:37:13 node48 sshd[5983]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=hugin.biac.duke.edu user=cmp12 Oct 31 13:37:13 node48 sshd[5983]: debug1: PAM: password authentication accepted for cmp12 Oct 31 13:37:13 node48 sshd[5983]: debug1: do_pam_account: called Oct 31 13:37:13 node48 sshd[5907]: debug2: channel 0: rcvd adjust 49852 Oct 31 13:37:15 node48 sshd[5983]: pam_sss(sshd:account): Access denied for user cmp12: 4 (System error) Oct 31 13:37:15 node48 sshd[5983]: Failed password for cmp12 from 10.136.52.5 port 38218 ssh2 Oct 31 13:37:15 node48 sshd[5984]: fatal: Access denied for user cmp12 by PAM account configuration
(Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_access_filter_get_access_done] (0x0400): Access granted by online lookup (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [cmp12] (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x4000): User account control for user [cmp12] is [200]. (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x4000): Expiration time for user [cmp12] is [9223372036854775807]. (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success]
Running version 1.9.2: sssd-1.9.2-82.4.el6_4.x86_64
Thanks, -Chris
Why do you have pam_krb5 in picture at all? I am not sure this is the cause of the problem but this seems odd. What version of SSSD we are talking about?
-- Thank you, Dmitri Pal
Sr. Engineering Manager for IdM portfolio Red Hat Inc.
------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/
On Thu, Oct 31, 2013 at 05:50:10PM +0000, Chris Petty wrote:
I guess i naively thought i needed it, but i removed the pam_krb libs from all the system/password auth sections of test machines and things still work as normal.
I still get the same errors on the ro-root machine however:
Oct 31 13:37:13 node48 sshd[5983]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=hugin.biac.duke.edu user=cmp12 Oct 31 13:37:13 node48 sshd[5983]: debug1: PAM: password authentication accepted for cmp12 Oct 31 13:37:13 node48 sshd[5983]: debug1: do_pam_account: called Oct 31 13:37:13 node48 sshd[5907]: debug2: channel 0: rcvd adjust 49852 Oct 31 13:37:15 node48 sshd[5983]: pam_sss(sshd:account): Access denied for user cmp12: 4 (System error) Oct 31 13:37:15 node48 sshd[5983]: Failed password for cmp12 from 10.136.52.5 port 38218 ssh2 Oct 31 13:37:15 node48 sshd[5984]: fatal: Access denied for user cmp12 by PAM account configuration
(Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_access_filter_get_access_done] (0x0400): Access granted by online lookup (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [cmp12] (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x4000): User account control for user [cmp12] is [200]. (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x4000): Expiration time for user [cmp12] is [9223372036854775807]. (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success]
This log snippet doesn't tell us what's wrong, can you take a look if you see something in the logs? Maybe the pam logs would have some hints as well. I suspect SSSD attempts to create some temporary file (for selinux perhaps? Not sure without logs) and fails on read-only FS.
So it turns out that even though i am not running selinux there was an attempt to create a login file in the /etc/selinux directory ... which was not writable.
(Thu Oct 31 15:54:45 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'cmp12' matched without domain, user is cmp12 (Thu Oct 31 15:54:45 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Thu Oct 31 15:54:45 2013) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [cmp12@default] (Thu Oct 31 15:54:45 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Thu Oct 31 15:54:45 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Thu Oct 31 15:54:45 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: default (Thu Oct 31 15:54:45 2013) [sssd[pam]] [pam_print_data] (0x0100): user: cmp12 (Thu Oct 31 15:54:47 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Thu Oct 31 15:54:47 2013) [sssd[pam]] [remove_selinux_login_file] (0x0040): Could not remove login file /etc/selinux/targeted/logins/cmp12 [30]: Read-only file system (Thu Oct 31 15:54:47 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 24 (Thu Oct 31 15:54:48 2013) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
I added the /etc/selinux directory to my ram disk and things work as expected.
-Chris
On 10/31/2013 02:45 PM, Jakub Hrozek wrote:
On Thu, Oct 31, 2013 at 05:50:10PM +0000, Chris Petty wrote:
I guess i naively thought i needed it, but i removed the pam_krb libs from all the system/password auth sections of test machines and things still work as normal.
I still get the same errors on the ro-root machine however:
Oct 31 13:37:13 node48 sshd[5983]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=hugin.biac.duke.edu user=cmp12 Oct 31 13:37:13 node48 sshd[5983]: debug1: PAM: password authentication accepted for cmp12 Oct 31 13:37:13 node48 sshd[5983]: debug1: do_pam_account: called Oct 31 13:37:13 node48 sshd[5907]: debug2: channel 0: rcvd adjust 49852 Oct 31 13:37:15 node48 sshd[5983]: pam_sss(sshd:account): Access denied for user cmp12: 4 (System error) Oct 31 13:37:15 node48 sshd[5983]: Failed password for cmp12 from 10.136.52.5 port 38218 ssh2 Oct 31 13:37:15 node48 sshd[5984]: fatal: Access denied for user cmp12 by PAM account configuration
(Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_access_filter_get_access_done] (0x0400): Access granted by online lookup (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [cmp12] (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x4000): User account control for user [cmp12] is [200]. (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x4000): Expiration time for user [cmp12] is [9223372036854775807]. (Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success]
This log snippet doesn't tell us what's wrong, can you take a look if you see something in the logs? Maybe the pam logs would have some hints as well. I suspect SSSD attempts to create some temporary file (for selinux perhaps? Not sure without logs) and fails on read-only FS. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org