Hi,
I've enabled lvl 9 debug, I've started from 6 to see if there is anything obvious, but I can't see anything. It looks like on lvl 6 the difference between successful and not successful login is that the not successful one is not even triggering SSS_PAM_ACCT_MGMT command. What's interesting is that if I destroy c111111 user ticket from the machine and try login again, it will fail but my current login user can see that the krb ticket has been created. On lvl 9 I can see communication with IPA server is successful as well as it's querying all user info. I've disabled krb5_store_password_if_offline and cleared sssd cache on the host but still the same thing. The symptoms are almost like krb won't check the password and just return OK to ssh.
c111111@csc-64:/home/ubuntu$ klist -l Principal name Cache name -------------- ---------- c111111@STUXNET.LAB KEYRING:persistent:1938600006:krb_ccache_VaG0P4I
When failing the following is not process at all, it just return OK (Mon Nov 30 07:05:50 2020) [sssd[be[stuxnet.lab]]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.pamHandler: Success (Mon Nov 30 07:05:50 2020) [sssd[be[stuxnet.lab]]] [child_sig_handler] (0x0100): child [602785] finished successfully.
when successful the lvl 6 log continue with: (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [dp_pam_handler_send] (0x0100): Got request with the following data (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): domain: stuxnet.lab (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): user: c111111@stuxnet.lab (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): service: sshd (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): tty: ssh (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): ruser: (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): rhost: 10.0.0.6 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): priv: 1 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): cli_pid: 602527 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): logon name: not set (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): flags: 0 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [dp_attach_req] (0x0400): DP Request [PAM Account #7]: New request. Flags [0000]. (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [sdap_access_send] (0x0400): Performing access check for user [c111111@stuxnet.lab] (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS