Hi List,
I have a problem with pam_sss:
Aug 2 16:59:14 draco sshd[20932]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=deneb.prague.s3group.com user=ondrejv Aug 2 16:59:14 draco sshd[20932]: pam_sss(sshd:auth): received for user ondrejv: 22 (Authentication token lock busy)
Note that if I replace pam_sss with pam_krb5, it works like a charm. Anyone knows what the message above means?
Thanks, Ondrej
On Thu, Aug 02, 2012 at 05:08:14PM +0200, Ondrej Valousek wrote:
Hi List,
I have a problem with pam_sss:
Aug 2 16:59:14 draco sshd[20932]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=deneb.prague.s3group.com user=ondrejv Aug 2 16:59:14 draco sshd[20932]: pam_sss(sshd:auth): received for user ondrejv: 22 (Authentication token lock busy)
Note that if I replace pam_sss with pam_krb5, it works like a charm. Anyone knows what the message above means?
Thanks, Ondrej
Sumit was able to reproduce the issue when the kpasswd server couldn't be resolved.
Can you check if the entries for your kpasswd servers are correct?
This is being tracked by: https://fedorahosted.org/sssd/ticket/1452
Looks like _kpasswd SRV entry was missing in my DNS. Strange that pam_krb5 was authenticating happily without this...
Ondrej
On 08/02/2012 05:08 PM, Ondrej Valousek wrote:
Hi List,
I have a problem with pam_sss:
Aug 2 16:59:14 draco sshd[20932]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=deneb.prague.s3group.com user=ondrejv Aug 2 16:59:14 draco sshd[20932]: pam_sss(sshd:auth): received for user ondrejv: 22 (Authentication token lock busy)
Note that if I replace pam_sss with pam_krb5, it works like a charm. Anyone knows what the message above means?
Thanks, Ondrej
On Fri, 2012-08-03 at 09:59 +0200, Ondrej Valousek wrote:
Looks like _kpasswd SRV entry was missing in my DNS. Strange that pam_krb5 was authenticating happily without this...
No, it IS a bug we've identified in SSSD: https://fedorahosted.org/sssd/ticket/1452
We just wanted to confirm that you were hitting the same issue.
Thanks! Any chance for this to be fixed in RHEL6.4?
No, it IS a bug we've identified in SSSD: https://fedorahosted.org/sssd/ticket/1452
We just wanted to confirm that you were hitting the same issue.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Fri, 2012-08-03 at 13:49 +0200, Ondrej Valousek wrote:
Thanks! Any chance for this to be fixed in RHEL6.4?
No, it IS a bug we've identified in SSSD: https://fedorahosted.org/sssd/ticket/1452
This will be fixed as soon as possible (maybe even before RHEL 6.4 as a 6.3 errata, if Red Hat product management wills it).
Even better, I am just about to roll out the first production RH6.3 server using sssd in our company so if it goes out as errata soon, I would not worry about these DNS records :-) . Ondrej
On 08/03/2012 01:58 PM, Stephen Gallagher wrote:
On Fri, 2012-08-03 at 13:49 +0200, Ondrej Valousek wrote:
Thanks! Any chance for this to be fixed in RHEL6.4?
No, it IS a bug we've identified in SSSD: https://fedorahosted.org/sssd/ticket/1452
This will be fixed as soon as possible (maybe even before RHEL 6.4 as a 6.3 errata, if Red Hat product management wills it).
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Stephen,
From the bug you mentioned it looks like the kpasswd dns entry is only needed for the password management, right? However, I can happily run kpasswd & change my password even when no _kpasswd dns srv record is present.
Could you please clarify? Thanks, Ondrej
On Fri, Aug 03, 2012 at 03:02:00PM +0200, Ondrej Valousek wrote:
Hi Stephen,
From the bug you mentioned it looks like the kpasswd dns entry is only needed for the password management, right? However, I can happily run kpasswd & change my password even when no _kpasswd dns srv record is present.
Could you please clarify? Thanks, Ondrej
We fall back to using KDC for password change operations when no kpasswd is explicitly specified. So I guess your KDC serves were also running the kpasswd services?
Yes, I am using AD based KDC which is also doing the kpasswd service. Thanks for the explanation.
Ondrej
On 08/03/2012 03:21 PM, Jakub Hrozek wrote:
On Fri, Aug 03, 2012 at 03:02:00PM +0200, Ondrej Valousek wrote:
Hi Stephen,
From the bug you mentioned it looks like the kpasswd dns entry is only needed for the password management, right? However, I can happily run kpasswd& change my password even when no _kpasswd dns srv record is present.
Could you please clarify? Thanks, Ondrej
We fall back to using KDC for password change operations when no kpasswd is explicitly specified. So I guess your KDC serves were also running the kpasswd services? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org