On 01/03/2012 04:07 AM, Jakub Hrozek wrote:
On Tue, Jan 03, 2012 at 01:13:53AM -0600, Alexander Blair wrote:
Hello,
I got a chance to work on this/look into this, and getent passwd user is returning the expected results with sssd on, and nothing with sssd off, as should be expected. The addition or removal of the / on the ldap URL had no results on my testing.
I tacked strace's onto the various processes as I was authenticating, and verified that it did contact the ldap server, and was able to get all the ldap related data. I have also verified that the server can contact the Kerberos server at this time via kinit after a su<user> -, where<user> is a user that only exists in the ldap directory, so it appears that it's something with SSSD not properly contacting the Krb server, I'm unable to track exactly how it should be doing this, so any suggestions would be appreciated, and I'm happy to provide any additional information I can about our setup related to this.
Thank you, Alexander Blair
How did you configure your PAM stack? Usin authconfig or manually? Does /var/log/secure show any errors related to pam_sss (and does it show that pam_sss was consulted?)
You can also try setting debug_level = 10 in the [domain/domainname] section of sssd.conf, restarting sssd and checking for any Kerberos errors. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
The PAM stack was originally done in authconfig, and I have verfied that it's properly setup to allow SSSD to auth. I have monitored the SSSD processes directly and have confirmed that PAM is contacting it for authentication verification.
Setting it into debug 10 has done nothing, as it's not dropping anything into the krb log files.