On Thu, Jan 04, 2018 at 11:30:22AM +0100, Johan Vermeulen via FreeIPA-users wrote:
Hello,
apologies for the late reply, due to the holidays.
I had a call from a user this morning, she had to do multiple login attempts and reboot several times before she could login.
Trying to follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
I assume the general setup works, as troubles only show up when password expires. On the users laptop:
[root@lremijsen ~]# systemctl status sssd ● sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/sssd.service.d └─journal.conf Active: active (running) since do 2018-01-04 08:42:01 CET; 2h 35min ago Process: 730 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS) Main PID: 757 (sssd) CGroup: /system.slice/sssd.service ├─757 /usr/sbin/sssd -D -f ├─767 /usr/libexec/sssd/sssd_be --domain network.cawdekempen.be --uid 0 --gid 0 --debug-to-files ├─774 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files ├─775 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files ├─776 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files ├─777 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files └─778 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 2 jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 2 jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 2
In /var/log/secure there is always a clear message that the password is expired:
Jan 4 10:06:13 lremijsen mate-screensaver-dialog: pam_sss(mate-screensaver:auth): authentication failure; logname= uid=382900705 euid=382900705 tty=:0.0 ruser= rhost= user=lremijsen Jan 4 10:06:13 lremijsen mate-screensaver-dialog: pam_sss(mate-screensaver:auth): received for user lremijsen: 12 (Authenticatietoken is niet langer geldig; nieuwe is vereist) Jan 4 10:06:14 lremijsen mate-screensaver-dialog: pam_sss(mate-screensaver:account): User info message: Wachtwoord verlopen. Verander nu uw wachtwoord.
sssd_pam.log only shows:(Tue Jan 2 13:05:46 2018) [sssd[pam]] [orderly_shutdown] (0x0010): SIGTERM: killing children
sssd_network.cawdekempen.be.log only shows:
(Tue Jan 2 13:05:46 2018) [sssd[be[network.cawdekempen.be]]] [orderly_shutdown] (0x0010): SIGTERM: killing children
I suppose I have to increase the log levels?
Yes, by default, SSSD doesn't log much. I think you would need especially the pam and domain service debug logs.