[Freeipa-users] [FreeIPA] SUDO fails with system error

Thu Oct 1 15:19:17 UTC 2015

On Thu, Oct 01, 2015 at 12:14:34PM +0000, Markus.Moj at mc.ingenico.com wrote:
> Dear @all,
> 
>  
> 
> I´ve an issue with two, Oracle Linux based, clients and my freeipa server. I can authenticate on any on the enrolled machines but the two oracle server aren´t able to access sudo and I don´t know why.
                          ~~~~~~~~~~~
                        What version of OEL and sssd?

> 
> Here are a few thing I´ve already figured out.
> 
>  
> 
> Both machines are enrolled from scratch and I see following entries in ldap_child.log
> 
> (Thu Oct  1 12:51:52 2015) [[sssd[ldap_child[3933]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/<servername>@<domain>' not found in Kerberos database
> 
> (Thu Oct  1 12:51:52 2015) [[sssd[ldap_child[3934]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/<servername>@<domain>' not found in Kerberos database

This looks like the enrollment is not correct, are you able to kinit -k
?

> 
>  
> 
> Furthermore I get following entries in secure log
> 
> pam_unix(sudo:auth): authentication failure; logname=<username> uid=957400001 euid=0 tty=/dev/pts/1 ruser=<username> rhost=  user=<username>
> 
> pam_sss(sudo:auth): authentication failure; logname=<username> uid=957400001 euid=0 tty=/dev/pts/1 ruser=<username> rhost= user=<username>
> 
> pam_sss(sudo:auth): received for user <username>: 4 (System error)

You said you were able to authenticate, but here the authentication is
throwing system error. How did you authenticate, was it maye with ssh
keys?

Is that all you have in krb5_child.log? I don't see the child exiting in
the logs..