I am seeing somewhat similar behavior once upgrading from sssd 1.9 to 1.11 (centos 6.5 to 6.6)
I seem to be able to log in via ssh, but when I use http pam service, I get inconsistent behavior - seems like sometimes it works and others it errors out (success and failure can happen within a second) In the logs I see things like: [sssd[krb5_child[15410]]]: Internal credentials cache error and authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=username received for user username: 4 (System error) Nothing in the audit.log that I can see I am guessing this is an sssd issue but I am hoping someone here knows how to deal with it. IN case it matters - here is the pam config: auth required pam_env.so auth sufficient pam_sss.so auth required pam_deny.so account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_sss.so -M On Wed, Nov 5, 2014 at 1:05 AM, Jakub Hrozek <[email protected]> wrote: > On Wed, Nov 05, 2014 at 02:30:55AM +0000, David Taylor wrote: > > Thanks for the reply. The PAM file is pretty stock for a centos build > > > > #%PAM-1.0 > > # This file is auto-generated. > > # User changes will be destroyed the next time authconfig is run. > > auth required pam_env.so > > auth sufficient pam_unix.so nullok try_first_pass > > auth requisite pam_succeed_if.so uid >= 500 quiet > > auth sufficient pam_sss.so use_first_pass > > auth required pam_deny.so > > > > account required pam_unix.so > > account sufficient pam_localuser.so > > account sufficient pam_succeed_if.so uid < 500 quiet > > account [default=bad success=ok user_unknown=ignore] pam_sss.so > > account required pam_permit.so > > > > password requisite pam_cracklib.so try_first_pass retry=3 type= > > password sufficient pam_unix.so sha512 shadow nullok > try_first_pass use_authtok > > password sufficient pam_sss.so use_authtok > > password required pam_deny.so > > > > session optional pam_keyinit.so revoke > > session required pam_limits.so > > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > > session required pam_unix.so > > session optional pam_sss.so > > > > > > Best regards > > David Taylor > > OK, so pam_sss is there ... > > And yet you see no mention of pam_sss.so in /var/log/secure ? > > Is this the file that was included from the service-specific PAM > configuration? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
