<div dir="ltr">I am seeing somewhat similar behavior once upgrading from sssd 1.9 to 1.11 (centos 6.5 to 6.6)<div><br></div><div>I seem to be able to log in via ssh, but when I use http pam service, I get inconsistent behavior - seems like sometimes it works and others it errors out (success and failure can happen within a second)</div><div><br></div><div>In the logs I see things like:</div><div><br></div><div>
<p class="">[sssd[krb5_child[15410]]]: Internal credentials cache error</p><p class="">and </p><p class="">authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=username<br>received for user username: 4 (System error)</p><p class="">Nothing in the audit.log that I can see</p><p class="">I am guessing this is an sssd issue but I am hoping someone here knows how to deal with it.<br></p><p class="">IN case it matters - here is the pam config:</p><p class="">auth required pam_env.so<br>auth sufficient pam_sss.so<br>auth required pam_deny.so</p><p class="">account [default=bad success=ok user_unknown=ignore] pam_sss.so<br>account required pam_permit.so</p><p class="">password requisite pam_cracklib.so try_first_pass retry=3 type=<br>password sufficient pam_sss.so use_authtok<br>password required pam_deny.so</p><p class=""><br></p><p class="">session optional pam_keyinit.so revoke<br>session required pam_limits.so<br>session optional pam_oddjob_mkhomedir.so<br>session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid<br>session optional pam_sss.so</p><p class="">-M</p></div>
</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 5, 2014 at 1:05 AM, Jakub Hrozek <span dir="ltr"><<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Wed, Nov 05, 2014 at 02:30:55AM +0000, David Taylor wrote:<br>
> Thanks for the reply. The PAM file is pretty stock for a centos build<br>
><br>
> #%PAM-1.0<br>
> # This file is auto-generated.<br>
> # User changes will be destroyed the next time authconfig is run.<br>
> auth required pam_env.so<br>
> auth sufficient pam_unix.so nullok try_first_pass<br>
> auth requisite pam_succeed_if.so uid >= 500 quiet<br>
> auth sufficient pam_sss.so use_first_pass<br>
> auth required pam_deny.so<br>
><br>
> account required pam_unix.so<br>
> account sufficient pam_localuser.so<br>
> account sufficient pam_succeed_if.so uid < 500 quiet<br>
> account [default=bad success=ok user_unknown=ignore] pam_sss.so<br>
> account required pam_permit.so<br>
><br>
> password requisite pam_cracklib.so try_first_pass retry=3 type=<br>
> password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok<br>
> password sufficient pam_sss.so use_authtok<br>
> password required pam_deny.so<br>
><br>
> session optional pam_keyinit.so revoke<br>
> session required pam_limits.so<br>
> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid<br>
> session required pam_unix.so<br>
> session optional pam_sss.so<br>
><br>
><br>
> Best regards<br>
> David Taylor<br>
<br>
</div></div>OK, so pam_sss is there ...<br>
<br>
And yet you see no mention of pam_sss.so in /var/log/secure ?<br>
<br>
Is this the file that was included from the service-specific PAM<br>
configuration?<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br>
</div></div></blockquote></div><br></div>