[Freeipa-users] Centos IPA Client fails after upgrade to 6.6

Jakub Hrozek jhrozek at redhat.com
Fri Nov 7 09:18:31 UTC 2014 

On Thu, Nov 06, 2014 at 09:33:35PM -0800, Michael Lasevich wrote:
> For what its worth, my issue was resolved when I rebooted the server.
> 
> Restarting sssd and/or clearing it's cache did not do it, but a full reboot
> seems to have done it. Something much have been cached or some temp file I
> missed. Will need to look into it further as I have a number of servers yet
> to be upgraded and having to reboot linux servers to do an upgrade seem
> sacrilegious...

We need to see the krb5_child.log file ideally with a very high
debug_level (10 would enable KRB5_TRACE debugging as well..)

> 
> -M
> 
> On Thu, Nov 6, 2014 at 9:26 PM, David Taylor <david.taylor at speedcast.com>
> wrote:
> 
> >  As an add on, I’ve upgraded our Xen template to 6.6 and run up a new VM
> > using that and it attaches to the IPA environment perfectly well, so I’m
> > guessing it is an issue with the upgrade scripts.
> >
> >
> >
> >
> >
> > Best regards
> >
> > *David Taylor*
> >
> >  *From:* Michael Lasevich [mailto:mlasevich at gmail.com]
> > *Sent:* Friday, 7 November 2014 4:00 PM
> > *To:* Jakub Hrozek
> > *Cc:* David Taylor; freeipa-users at redhat.com
> > *Subject:* Re: [Freeipa-users] Centos IPA Client fails after upgrade to
> > 6.6
> >
> >
> >
> > I am seeing somewhat similar behavior once upgrading from sssd 1.9 to 1.11
> > (centos 6.5 to 6.6)
> >
> >
> >
> > I seem to be able to log in via ssh, but when I use http pam service, I
> > get inconsistent behavior - seems like sometimes it works and others it
> > errors out (success and failure can happen within a second)
> >
> >
> >
> > In the logs I see things like:
> >
> >
> >
> > [sssd[krb5_child[15410]]]: Internal credentials cache error
> >
> > and
> >
> > authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=
> > user=username
> > received for user username: 4 (System error)
> >
> > Nothing in the audit.log that I can see
> >
> > I am guessing this is an sssd issue but I am hoping someone here knows how
> > to deal with it.
> >
> > IN case it matters - here is the pam config:
> >
> > auth        required      pam_env.so
> > auth        sufficient    pam_sss.so
> > auth        required      pam_deny.so
> >
> > account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> > account     required      pam_permit.so
> >
> > password    requisite     pam_cracklib.so try_first_pass retry=3 type=
> > password    sufficient    pam_sss.so use_authtok
> > password    required      pam_deny.so
> >
> >
> >
> > session     optional      pam_keyinit.so revoke
> > session     required      pam_limits.so
> > session     optional      pam_oddjob_mkhomedir.so
> > session     [success=1 default=ignore] pam_succeed_if.so service in crond
> > quiet use_uid
> > session     optional      pam_sss.so
> >
> > -M
> >
> >
> >
> > On Wed, Nov 5, 2014 at 1:05 AM, Jakub Hrozek <jhrozek at redhat.com> wrote:
> >
> >  On Wed, Nov 05, 2014 at 02:30:55AM +0000, David Taylor wrote:
> > > Thanks for the reply. The PAM file is pretty stock for a centos build
> > >
> > > #%PAM-1.0
> > > # This file is auto-generated.
> > > # User changes will be destroyed the next time authconfig is run.
> > > auth        required      pam_env.so
> > > auth        sufficient    pam_unix.so nullok try_first_pass
> > > auth        requisite     pam_succeed_if.so uid >= 500 quiet
> > > auth        sufficient    pam_sss.so use_first_pass
> > > auth        required      pam_deny.so
> > >
> > > account     required      pam_unix.so
> > > account     sufficient    pam_localuser.so
> > > account     sufficient    pam_succeed_if.so uid < 500 quiet
> > > account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> > > account     required      pam_permit.so
> > >
> > > password    requisite     pam_cracklib.so try_first_pass retry=3 type=
> > > password    sufficient    pam_unix.so sha512 shadow nullok
> > try_first_pass use_authtok
> > > password    sufficient    pam_sss.so use_authtok
> > > password    required      pam_deny.so
> > >
> > > session     optional      pam_keyinit.so revoke
> > > session     required      pam_limits.so
> > > session     [success=1 default=ignore] pam_succeed_if.so service in
> > crond quiet use_uid
> > > session     required      pam_unix.so
> > > session     optional      pam_sss.so
> > >
> > >
> > > Best regards
> > > David Taylor
> >
> > OK, so pam_sss is there ...
> >
> > And yet you see no mention of pam_sss.so in /var/log/secure ?
> >
> > Is this the file that was included from the service-specific PAM
> > configuration?
> >
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
> >
> >
> >

More information about the Freeipa-users mailing list