[Freeipa-users] SSSD/SSH authentication issues on some hosts
Jakub Hrozek
jhrozek at redhat.com
Mon Jun 3 08:45:14 UTC 2013
On Mon, Jun 03, 2013 at 06:58:35AM +0200, Natxo Asenjo wrote:
> On Mon, Jun 3, 2013 at 12:38 AM, Ryan Cunningham
> <ryan.cunningham.xyzzy at gmail.com> wrote:
> >
> >> What I see is:
> >>
> >> fatal: Access denied for user admin by PAM account configuration
> >>
> >> What about disabling selinux?
> >
> >
> > Whoops, I probably should have caught these myself.
> >
> > Disabling SELinux fixed one of the hosts. I didn't even look at it because I
> > believed that I had disabled it previously.
> >
> > The other problem host didn't have SELinux enabled but was missing the
> > /etc/selinux/targeted directory structure and was dropping an error:
> >
> > [sssd[pam]] [write_selinux_login_file] (0x0040): creating the temp file for
> > SELinux data failed. /etc/selinux/targeted/logins/adminnik1F1(Sun Jun 2
> > 18:01:44 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 25
> >
> > Everything's working fine now -- thanks for looking at those logs.
>
> glad it helped, but it should also work with selinux enabled.
>
> Could you try running restorecon -rv on /etc and /home at least,
> re-enabling selinux and logging in again? For me and many others, it
> works and it really is the new 'best practices' to have it on ;-)
Did the directory /etc/selinux/targeted/logins/ exist at all? We've had
a bug where if SELinux was disabled, the directory didn't exist and
creating a temp file there failed. But from your e-mail it sounds like
you actually had luck after disabling SELinux?
Natxo's suggestion then would be a valid one, too, please let us know
whether restorecon did change any contexts.
More information about the Freeipa-users
mailing list