<div class="gmail_quote">On Thu, Sep 27, 2012 at 10:01 AM, Jakub Hrozek wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On Thu, Sep 27, 2012 at 08:18:21AM +0200, David Sastre wrote: > On Wed, Sep 26, 2012 at 11:08 PM, David Sastre Medina wrote: > > On Wed, Sep 26, 2012 at 03:06:40PM -0400, Rob Crittenden wrote: > > > David Sastre wrote: > > > > [big snip] > > > Does sssd work on this machine otherwise? getent passwd <foo>, you > > > can log into the console as the user, or perhaps kinit to the user? > > > It looks like sssd is operating correctly > I can also kinit w/o problems: </div>kinit bypasses the SSSD and talks to the KDC directly. <div class="im"> </div>...however, the ssh should go through the SSSD... <div class="im"> </div>Can you check the messages that appear in /var/log/secure during the sudo auth attempt? You should see pam_sss being contacted, what does it say? Is there any error? </blockquote><div> Jakub, Does your comment mean ssh/sshd is misbehaving or bad configured? There are, indeed, errors regarding pam_sss in /var/log/secure. This is a successful login+sudo+logout in a host: Sep 27 10:29:56 panoramix sshd[12913]: Authorized to dsastrem, krb5 principal <a href="mailto:dsastrem@SOME.DOMAIN.COM">dsastrem@SOME.DOMAIN.COM</a> (krb5_kuserok) Sep 27 10:29:56 panoramix sshd[12913]: Accepted gssapi-with-mic for dsastrem from 172.26.130.101 port 58678 ssh2 Sep 27 10:29:56 panoramix sshd[12913]: pam_unix(sshd:session): session opened for user dsastrem by (uid=0) Sep 27 10:30:13 panoramix sudo: pam_unix(sudo:auth): authentication failure; logname=dsastrem uid=0 euid=0 tty=/dev/pts/2 ruser=dsastrem rhost= user=dsastrem Sep 27 10:30:13 panoramix sudo: pam_sss(sudo:auth): authentication success; logname=dsastrem uid=0 euid=0 tty=/dev/pts/2 ruser=dsastrem rhost= user=dsastrem Sep 27 10:30:13 panoramix sudo: dsastrem : TTY=pts/2 ; PWD=/home/dsastrem ; USER=root ; COMMAND=/sbin/ip addr show Sep 27 10:30:32 panoramix sshd[12942]: Received disconnect from <a href="http://172.26.130.101">172.26.130.101</a>: 11: disconnected by user Sep 27 10:30:32 panoramix sshd[12913]: pam_unix(sshd:session): session closed for user dsastrem This one a failed attempt to do the same in another host: Sep 27 10:32:27 obelix sshd[5242]: Authorized to dsastrem, krb5 principal <a href="mailto:dsastrem@SOME.DOMAIN.COM">dsastrem@SOME.DOMAIN.COM</a> (krb5_kuserok) Sep 27 10:32:27 obelix sshd[5242]: Accepted gssapi-with-mic for dsastrem from 172.26.130.101 port 38276 ssh2 Sep 27 10:32:27 obelix sshd[5242]: pam_unix(sshd:session): session opened for user dsastrem by (uid=0) Sep 27 10:32:50 obelix sudo: pam_unix(sudo:auth): authentication failure; logname=dsastrem uid=0 euid=0 tty=/dev/pts/1 ruser=dsastrem rhost= user=dsastrem Sep 27 10:32:50 obelix sudo: pam_sss(sudo:auth): system info: [Permission denied] Sep 27 10:32:50 obelix sudo: pam_sss(sudo:auth): authentication failure; logname=dsastrem uid=0 euid=0 tty=/dev/pts/1 ruser=dsastrem rhost= user=dsastrem Sep 27 10:32:50 obelix sudo: pam_sss(sudo:auth): received for user dsastrem: 4 (System error) Sep 27 10:33:13 obelix sudo: pam_unix(sudo:auth): conversation failed Sep 27 10:33:13 obelix sudo: pam_unix(sudo:auth): auth could not identify password for [dsastrem] Sep 27 10:33:13 obelix sudo: pam_sss(sudo:auth): system info: [Cannot read password] Sep 27 10:33:13 obelix sudo: pam_sss(sudo:auth): authentication failure; logname=dsastrem uid=0 euid=0 tty=/dev/pts/1 ruser=dsastrem rhost= user=dsastrem Sep 27 10:33:13 obelix sudo: pam_sss(sudo:auth): received for user dsastrem: 4 (System error) Sep 27 10:33:13 obelix sudo: dsastrem : 1 incorrect password attempt ; TTY=pts/1 ; PWD=/home/dsastrem ; USER=root ; COMMAND=/sbin/ip addr show Sep 27 10:33:21 obelix sshd[5281]: Received disconnect from <a href="http://172.26.130.101">172.26.130.101</a>: 11: disconnected by user Sep 27 10:33:21 obelix sshd[5242]: pam_unix(sshd:session): session closed for user dsastrem I can see now where it is failing, but I can't understand why (yet), is this PAM related? </div></div>