I have a working config on multiple machines, now i am taking this config to our computing cluster, which i manage with oneSIS.
It has ro root with various nfs mounts for writable locations and other pieces in an actual ramdisk at bootup. /var/lib/sss has a writable location in the ram disk
When i have my / drive mounted as ro , pam_sss/sshd rejects my login ( after i've it tells me that i've authenticated successfully and i get a kerberos ticket )
If I remount the root filesystem rw, everything works as expected. If i remove the sss line from my pam.d/password-auth, everything also works, even in ro because i am not using the piece that's throwing the System error. "account [default=bad success=ok user_unknown=ignore] pam_sss.so"
Any advice on how to make this work would be greatly appreciated. My same sssd.conf is working fine on various other machines without the ro root. -Chris
some snippets from the logs .. i truncated things because i have sssd and pam at very high levels of logging for now. from secure log: Oct 31 10:53:32 node48 sshd[5843]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost user=cmp12 Oct 31 10:53:33 node48 sshd[5843]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost user=cmp12 Oct 31 10:53:33 node48 sshd[5843]: debug1: PAM: password authentication accepted for cmp12 Oct 31 10:53:33 node48 sshd[5843]: debug1: do_pam_account: called Oct 31 10:53:33 node48 sshd[5843]: pam_sss(sshd:account): Access denied for user cmp12: 4 (System error) . . get a valid krb5 ticket from the server . Oct 31 10:53:34 node48 sshd[5843]: pam_krb5[5843]: pam_acct_mgmt returning 0 (Success) Oct 31 10:53:34 node48 sshd[5843]: Failed password for cmp12 from 10.136.52.5 port 42199 ssh2 Oct 31 10:53:34 node48 sshd[5844]: fatal: Access denied for user cmp12 by PAM account configuration
from sssd_default.log: (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): domain: default (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): user: cmp12 (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): service: sshd (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): tty: ssh (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): ruser: (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): rhost: hugin.biac.duke.edu (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): authtok type: 0 (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): authtok size: 0 (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): newauthtok size: 0 (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): priv: 1 (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): cli_pid: 5865 (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [cmp12] (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [cmp12] (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x4000): User account control for user [cmp12] is [200]. (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x4000): Expiration time for user [cmp12] is [9223372036854775807]. (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0400): SELinux provider doesn't exist, not sending the request to it. (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sending result [0][default] (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sent result [0][default]
On 10/31/2013 11:29 AM, Chris Petty wrote:
I have a working config on multiple machines, now i am taking this config to our computing cluster, which i manage with oneSIS.
It has ro root with various nfs mounts for writable locations and other pieces in an actual ramdisk at bootup. /var/lib/sss has a writable location in the ram disk
When i have my / drive mounted as ro , pam_sss/sshd rejects my login ( after i've it tells me that i've authenticated successfully and i get a kerberos ticket )
If I remount the root filesystem rw, everything works as expected. If i remove the sss line from my pam.d/password-auth, everything also works, even in ro because i am not using the piece that's throwing the System error. "account [default=bad success=ok user_unknown=ignore] pam_sss.so"
Any advice on how to make this work would be greatly appreciated. My same sssd.conf is working fine on various other machines without the ro root. -Chris
some snippets from the logs .. i truncated things because i have sssd and pam at very high levels of logging for now. from secure log: Oct 31 10:53:32 node48 sshd[5843]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost user=cmp12 Oct 31 10:53:33 node48 sshd[5843]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost user=cmp12 Oct 31 10:53:33 node48 sshd[5843]: debug1: PAM: password authentication accepted for cmp12 Oct 31 10:53:33 node48 sshd[5843]: debug1: do_pam_account: called Oct 31 10:53:33 node48 sshd[5843]: pam_sss(sshd:account): Access denied for user cmp12: 4 (System error) . . get a valid krb5 ticket from the server . Oct 31 10:53:34 node48 sshd[5843]: pam_krb5[5843]: pam_acct_mgmt returning 0 (Success) Oct 31 10:53:34 node48 sshd[5843]: Failed password for cmp12 from 10.136.52.5 port 42199 ssh2 Oct 31 10:53:34 node48 sshd[5844]: fatal: Access denied for user cmp12 by PAM account configuration
from sssd_default.log: (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): domain: default (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): user: cmp12 (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): service: sshd (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): tty: ssh (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): ruser: (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): rhost: hugin.biac.duke.edu (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): authtok type: 0 (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): authtok size: 0 (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): newauthtok size: 0 (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): priv: 1 (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): cli_pid: 5865 (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [cmp12] (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [cmp12] (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x4000): User account control for user [cmp12] is [200]. (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x4000): Expiration time for user [cmp12] is [9223372036854775807]. (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0400): SELinux provider doesn't exist, not sending the request to it. (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sending result [0][default] (Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sent result [0][default]
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Why do you have pam_krb5 in picture at all? I am not sure this is the cause of the problem but this seems odd. What version of SSSD we are talking about?
sssd-users@lists.fedorahosted.org