<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 11/16/2012 10:59 AM, Qing Chang wrote:
<blockquote cite="mid:50A662D6.6050308@sri.utoronto.ca" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
just migrated all my user from OpenLDAP and MIT Kerberos to IPA.<br>
<br>
Out of more than 400 users, there are around 10 that have problem
<br>
accessing Samba or Dovecot IMAP or ssh. <br>
<br>
They never have problem login to ipa/ipa/ui/login.html.<br>
<br>
For Dovecot IMAP following error is generated:<br>
=====<br>
Nov 16 10:15:03 dovecot2 auth: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot
ruser=uesrid rhost=IP user=userid<br>
Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot
ruser=userid rhost=IP user=useris<br>
Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): received for
user userid: 4 (System error)<br>
</blockquote>
<br>
Hello Qing<br>
<br>
There are several things to do:<br>
1) Compare entries of the users that login with no problems and
users that have problems. There might be some attributes different
(absent/present). That might give a hint of what might be wrong. We
have seen some issues in this area related to Samba.<br>
2) Can you please enable the higher debug_level in SSSD and provide
the SSSD logs + sssd.conf that would help to see what is going on
with the user that is failing.<br>
3) Also if you can describe your environment of how all the parts
work together and what are the workflows in which you see the
problem/issue. I am personally not familiar with Dovecot in details
so I assume that Dovecot is configured to use PAM for the
authentication and the snippet above is from that authentication. Is
this the correct assumption?<br>
<br>
Thanks<br>
Dmitri<br>
<br>
<blockquote cite="mid:50A662D6.6050308@sri.utoronto.ca" type="cite">
=====<br>
<br>
For Samba, it appears that a mapping request never gets to Samba
server because<br>
nothing is logged for a problematic user ID although I have turned
on excessive logging.<br>
<br>
What is really frustrating is that there is no pattern to be
found, even my fellow<br>
Sysadmin's ID is also in trouble. <br>
<br>
Also, in his case, he has no problem with Dovecot. For another
user ID Samba works<br>
but not Dovecot. It looks to me there might be some problem with
sssd on the <br>
different servers?<br>
<br>
BTW, for at least one user, creating a brand new account for samba
did not work either,<br>
while the trick worked for another user:-(.<br>
<br>
Please shed some light on this. I don't mind opening a case with
RedHat support <br>
if necessary.<br>
<br>
<font color="#cc0000">Red Hat Enterprise Linux Server release 6.3
(Santiago)</font><br>
<font color="#cc0000">ipa-server.x86_64
2.2.0-16.el6 @rhel-x86_64-server-6<br>
sssd.x86_64 1.8.0-32.el6
@rhel-x86_64-server-6<br>
sssd-client.x86_64 1.8.0-32.el6
@rhel-x86_64-server-6<br>
</font> <br>
TIA,<br>
Qing<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>