In the log (
/var/log/messages) I was seeing messages like these:login: FAILED LOGIN SESSION FROM tty3 FOR smithfarm, System error pam_sss(login:auth): received for user smithfarm: 4 (System error) pam_sss(xdm:auth): received for user smithfarm: 4 (System error) sshd[6004]: error: PAM: System error for smithfarm from ws.farm.cz
This was mysterious. Since I knew it was Kerberos-related, I raised the debug level in the Kerberos section of the sssd configuration file
/etc/sssd/sssd.conf:[domain/default] debug_level = 0x07F0 enumerate = false id_provider = ldap ...
After restarting sssd and trying to login again, the sssd log file (
/var/log/sssd/sssd_default.log on my system) had something interesting to say:(Tue Jun 17 10:56:22 2014) [sssd[be[default]]] [cc_residual_is_used] (0x0200): Cache file [/tmp/krb5cc_17006_M5 1GxZ] does not exist, it will be recreated (Tue Jun 17 10:56:22 2014) [sssd[be[default]]] [check_old_ccache] (0x0400): Saved ccache FILE:/tmp/krb5cc_17006 _M51GxZ doesn't exist. (Tue Jun 17 10:56:22 2014) [sssd[be[default]]] [krb5_auth_send] (0x0200): Ignoring ccache attribute [FILE:/tmp/ krb5cc_17006_M51GxZ], because it doesn't exist.
17006 is the uid I always get when I login via LDAP/Kerberos. So I tried the following command:
# rm -rf /tmp/krb5cc_17006*
Then after restarting sssd I was able to log in.
Thanks!
ReplyDeleteI have been beating my head against a rock trying to figure this one out. This resolved it for me. My issue occurred after a AD certificate renewal. Thanks for the post!
ReplyDeleteThis is an old post I know. I just wanted to add this.
ReplyDeleteYou will also get this error if someone changes the owner of /tmp from root to someone else.
That one took we a while to figure out. :)