Hi Alexander. Spot on... we fixed the issue with your suggestion. Thanks heaps
Appreciated.


regards


On Fri, Nov 9, 2018 at 12:43 PM Alfredo De Luca <alfredo.deluca@gmail.com> wrote:
thanks Alexander. We don't have selinux enabled so good point from you. I will implement the solution you suggested soon and let you know.
Thanks heaps

Alfredo


On Thu, Nov 8, 2018 at 9:05 PM Alexander Bokovoy <abokovoy@redhat.com> wrote:
On to, 08 marras 2018, Alfredo De Luca via FreeIPA-users wrote:
>Hi alexander. Thanks for your info.
>Here are 2 logs. One is the pam.log and the other one is the domain.log at
>the time when we got the error below.
>
>Nov  8 17:09:06 sftp-test sshd[25100]: pam_sss(sshd:account): Access denied
>for user nifi_sftp: 4 (System error)
>
>The user to search is nifi_sftp.
>
>Thanks heaps and let me know if you need more info
Do you have SELinux enabled? Disabled?

From the looks of sssd_<domain>.log you have trouble with setting
SELinux for the user:

Thu Nov  8 17:09:06 2018) [sssd[be[novalocal]]] [selinux_child_done] (0x0020): selinux_child_parse_response failed: [22][Invalid argument]

This means that most likely you have SELinux disabled completely yet
SSSD attempts to set up SELinux context and considers its failure a hard
fail.

Setting

 selinux_provider = none

in [domain/novalocal] section should help if you are not using SELinux.

>Cheers
>
>
>
>On Wed, Nov 7, 2018 at 3:49 PM Alexander Bokovoy <abokovoy@redhat.com>
>wrote:
>
>> On ke, 07 marras 2018, Alfredo De Luca via FreeIPA-users wrote:
>> >Hi all. I wonder who and how this is been resolved?
>> >I have centos 7 where an sftp server is running. Authentication is with
>> >freeIPA 4.5.4.
>> >all the users connect to the sftp server normally but when there are
>> >multiple connections  randomly I got this error
>> >
>> >Nov  7 08:30:09 sftp sshd[23487]: pam_sss(sshd:account): Access denied for
>> >user nifi_sftp: 4 (System error)
>> >
>> >Not sure why. The same user doesn't have any issue connecting manually but
>> >when different connections from 3 nodes (running a open source sftp client
>> >called NIFI from apache.org) I got that error.
>> >I have to say that I tried to reproduce with a script running multiple
>> >connections at the same time and I get the same errors. If I use
>> >controlmaster mechanism on ssh client I dont' get the error at all.
>> >
>> >Any idea?
>> Use sssd debugging to demonstrate why pam_sss is denying access.
>> https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
>>
>> You'd need logs from the sssd_<domain>.log and sssd_pam.log related to
>> the time when there is an attempt to connect with NIFI. Use
>> debug_level=9 in domain and pam sections to show all logs and provide
>> them somewhere we can look up.
>>
>> --
>> / Alexander Bokovoy
>> Sr. Principal Software Engineer
>> Security / Identity Management Engineering
>> Red Hat Limited, Finland
>>
>
>
>--
>*Alfredo*


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland


--
Alfredo



--
Alfredo