<div dir="ltr">For what its worth, my issue was resolved when I rebooted the server. <div> </div><div>Restarting sssd and/or clearing it's cache did not do it, but a full reboot seems to have done it. Something much have been cached or some temp file I missed. Will need to look into it further as I have a number of servers yet to be upgraded and having to reboot linux servers to do an upgrade seem sacrilegious...</div><div> </div><div>-M</div></div><div class="gmail_extra"> <div class="gmail_quote">On Thu, Nov 6, 2014 at 9:26 PM, David Taylor <<a href="mailto:david.taylor@speedcast.com" target="_blank">david.taylor@speedcast.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div lang="EN-AU" link="blue" vlink="purple"> <div> As an add on, I’ve upgraded our Xen template to 6.6 and run up a new VM using that and it attaches to the IPA environment perfectly well, so I’m guessing it is an issue with the upgrade scripts. Best regards David Taylor From: Michael Lasevich [mailto:<a href="mailto:mlasevich@gmail.com" target="_blank">mlasevich@gmail.com</a>] Sent: Friday, 7 November 2014 4:00 PM To: Jakub Hrozek Cc: David Taylor; <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a> Subject: Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6 <div> I am seeing somewhat similar behavior once upgrading from sssd 1.9 to 1.11 (centos 6.5 to 6.6)<div><div class="h5"> <div> </div> <div> I seem to be able to log in via ssh, but when I use http pam service, I get inconsistent behavior - seems like sometimes it works and others it errors out (success and failure can happen within a second) </div> <div> </div> <div> In the logs I see things like: </div> <div> </div> <div> [sssd[krb5_child[15410]]]: Internal credentials cache error and authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=username received for user username: 4 (System error) Nothing in the audit.log that I can see I am guessing this is an sssd issue but I am hoping someone here knows how to deal with it. IN case it matters - here is the pam config: auth required pam_env.so auth sufficient pam_sss.so auth required pam_deny.so account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_sss.so -M </div> </div></div></div><div><div class="h5"> <div> <div> On Wed, Nov 5, 2014 at 1:05 AM, Jakub Hrozek <<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>> wrote: <blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm"> <div> <div> On Wed, Nov 05, 2014 at 02:30:55AM +0000, David Taylor wrote: > Thanks for the reply. The PAM file is pretty stock for a centos build > > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 type= > password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > > Best regards > David Taylor </div> </div> OK, so pam_sss is there ... And yet you see no mention of pam_sss.so in /var/log/secure ? Is this the file that was included from the service-specific PAM configuration? <div> <div> -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project </div> </div> </blockquote> </div> </div> </div></div></div> </div> </blockquote></div> </div>