In the log (
/var/log/messages) I was seeing messages like these:
login: FAILED LOGIN SESSION FROM tty3 FOR smithfarm, System error pam_sss(login:auth): received for user smithfarm: 4 (System error) pam_sss(xdm:auth): received for user smithfarm: 4 (System error) sshd: error: PAM: System error for smithfarm from ws.farm.cz
This was mysterious. Since I knew it was Kerberos-related, I raised the debug level in the Kerberos section of the sssd configuration file
[domain/default] debug_level = 0x07F0 enumerate = false id_provider = ldap ...
After restarting sssd and trying to login again, the sssd log file (
/var/log/sssd/sssd_default.logon my system) had something interesting to say:
(Tue Jun 17 10:56:22 2014) [sssd[be[default]]] [cc_residual_is_used] (0x0200): Cache file [/tmp/krb5cc_17006_M5 1GxZ] does not exist, it will be recreated (Tue Jun 17 10:56:22 2014) [sssd[be[default]]] [check_old_ccache] (0x0400): Saved ccache FILE:/tmp/krb5cc_17006 _M51GxZ doesn't exist. (Tue Jun 17 10:56:22 2014) [sssd[be[default]]] [krb5_auth_send] (0x0200): Ignoring ccache attribute [FILE:/tmp/ krb5cc_17006_M51GxZ], because it doesn't exist.
17006 is the uid I always get when I login via LDAP/Kerberos. So I tried the following command:
# rm -rf /tmp/krb5cc_17006*
Then after restarting sssd I was able to log in.