Any help here would be appreciated, I don't seem to see what the issue is. I can login using kinit just fine, but sssd fails when using ssh. It seems like it has something to do with the files in /var/lib/sss/pubconf going missing, which causes sssd-krb5 to fail with: Cannot find KDC for requested realm.
This is CentOS 6, sssd-1.8.0-32.el6.x86_64.
e.g. kinit logins works:
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x248b180], connected[1], ops[(nil)], ldap[0x248b360]
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [sbus_dispatch] (0x4000): dbus conn: 2485210
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [sbus_dispatch] (0x4000): Dispatching.
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler]
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [be_pam_handler] (0x0100): Got request with the following data
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [pam_print_data] (0x0100): user: testuser
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [pam_print_data] (0x0100): service: sshd
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [pam_print_data] (0x0100): tty: ssh
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [pam_print_data] (0x0100): ruser:
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [pam_print_data] (0x0100): rhost: 10.74.34.39
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [pam_print_data] (0x0100): authtok type: 1
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [pam_print_data] (0x0100): authtok size: 12
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [pam_print_data] (0x0100): newauthtok type: 0
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [pam_print_data] (0x0100): newauthtok size: 0
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [pam_print_data] (0x0100): priv: 1
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [pam_print_data] (0x0100): cli_pid: 2882
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [krb5_pam_handler] (0x1000): Wait queue of user [testuser] is empty, running request immediately.
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [ldb] (0x4000): tevent: Added timed event "ltdb_callback": 0x2537a00
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [ldb] (0x4000): tevent: Added timed event "ltdb_timeout": 0x2539b50
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [ldb] (0x4000): tevent: Destroying timer event 0x2539b50 "ltdb_timeout"
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [ldb] (0x4000): tevent: Ending timer event 0x2537a00 "ltdb_callback"
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [krb5_auth_send] (0x0100): No ccache file for user [testuser] found.
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [krb5_auth_send] (0x4000): Ccache_file is [not set] and is not active and TGT is not valid.
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KERBEROS'
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [get_port_status] (0x1000): Port status of port 88 for server '
auth01.MYREALM.COM' is 'neutral'
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [be_resolve_server_done] (0x1000): Saving the first resolved server
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [be_resolve_server_done] (0x0200): Found address for server
auth01.MYREALM.COM: [192.168.246.37] TTL 300
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [krb5_find_ccache_step] (0x4000): Recreating ccache file.
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [create_ccache_dir] (0x4000): Ccache directory name [/tmp/krb5cc_501_XXXXXX] does not contain illegal patterns.
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [2884]
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [become_user] (0x4000): Trying to become user [501][501].
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [child_handler_setup] (0x2000): Signal handler set up for pid [2884]
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [write_pipe_handler] (0x0400): All data has been sent!
(Sun Jan 27 21:57:03 2013) [sssd] [main] (0x1000): krb5_child started.
(Sun Jan 27 21:57:03 2013) [[sssd[krb5_child[2884]]]] [krb5_child_setup] (0x1000): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Sun Jan 27 21:57:03 2013) [[sssd[krb5_child[2884]]]] [krb5_child_setup] (0x1000): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Sun Jan 27 21:57:03 2013) [[sssd[krb5_child[2884]]]] [krb5_child_setup] (0x4000): Not using FAST.
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
(Sun Jan 27 21:57:03 2013) [[sssd[krb5_child[2884]]]] [get_and_save_tgt] (0x0020): 660: [-1765328230][Cannot find KDC for requested realm]
(Sun Jan 27 21:57:03 2013) [[sssd[krb5_child[2884]]]] [tgt_req_child] (0x0020): 919: [-1765328230][Cannot find KDC for requested realm]
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [krb5_child_done] (0x4000): child response [4][1][36].
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [check_wait_queue] (0x1000): Wait queue for user [testuser] is empty.
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success]
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [be_pam_handler_callback] (0x0100): Sending result [4][
MYREALM.COM]
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [be_pam_handler_callback] (0x0100): Sent result [4][
MYREALM.COM]
(Sun Jan 27 21:57:03 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x751c90
(Sun Jan 27 21:57:03 2013) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 754800
(Sun Jan 27 21:57:03 2013) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
(Sun Jan 27 21:57:03 2013) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][
MYREALM.COM]
(Sun Jan 27 21:57:03 2013) [sssd[pam]] [pam_reply] (0x0100): pam_reply get called.
(Sun Jan 27 21:57:03 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 79
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [child_sig_handler] (0x1000): Waiting for child [2884].
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [child_sig_handler] (0x0100): child [2884] finished successfully.
(Sun Jan 27 21:57:03 2013) [sssd[be[
MYREALM.COM]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes
/etc/pam.d/password-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel