2014-06-17

The dreaded 'system error' with Kerberos and sssd

After some LDAP-related experimentation I was unable to log in to my workstation, which uses sssd to implement a setup where the users are identified by LDAP and authenticated by Kerberos.

In the log (/var/log/messages) I was seeing messages like these:

login: FAILED LOGIN SESSION FROM tty3 FOR smithfarm, System error
pam_sss(login:auth): received for user smithfarm: 4 (System error)
pam_sss(xdm:auth): received for user smithfarm: 4 (System error)
sshd[6004]: error: PAM: System error for smithfarm from ws.farm.cz

This was mysterious. Since I knew it was Kerberos-related, I raised the debug level in the Kerberos section of the sssd configuration file /etc/sssd/sssd.conf:

[domain/default]
debug_level = 0x07F0
enumerate = false
id_provider = ldap
...

After restarting sssd and trying to login again, the sssd log file (/var/log/sssd/sssd_default.log on my system) had something interesting to say:

(Tue Jun 17 10:56:22 2014) [sssd[be[default]]] [cc_residual_is_used] (0x0200): Cache file [/tmp/krb5cc_17006_M5
1GxZ] does not exist, it will be recreated
(Tue Jun 17 10:56:22 2014) [sssd[be[default]]] [check_old_ccache] (0x0400): Saved ccache FILE:/tmp/krb5cc_17006
_M51GxZ doesn't exist.
(Tue Jun 17 10:56:22 2014) [sssd[be[default]]] [krb5_auth_send] (0x0200): Ignoring ccache attribute [FILE:/tmp/
krb5cc_17006_M51GxZ], because it doesn't exist.

17006 is the uid I always get when I login via LDAP/Kerberos. So I tried the following command:

# rm -rf /tmp/krb5cc_17006*

Then after restarting sssd I was able to log in.

3 comments:

  1. Anonymous15:57

    Thanks!

    ReplyDelete
  2. Anonymous23:30

    I have been beating my head against a rock trying to figure this one out. This resolved it for me. My issue occurred after a AD certificate renewal. Thanks for the post!

    ReplyDelete
  3. This is an old post I know. I just wanted to add this.

    You will also get this error if someone changes the owner of /tmp from root to someone else.

    That one took we a while to figure out. :)

    ReplyDelete