Hi all,
 
I'm trying to setup AD authentication via sssd.
With freshly joined machines login works as expected, however after some (seemingly) arbitrary time login fail with this error in /var/log/secure log:
 
sshd[22264]: pam_sss(sshd:auth): received for user <username>: 4 (System error)
 
I've yet to gather a debug log when this happens but as our complete linux environment depends on this, so maybe someone can already point out my mistake.
 
Here is the /etc/sssd/sssd.conf:
 
[sssd]
domains = some.domain.com
services = nss, pam
config_file_version = 2
sbus_timeout = 30
reconnection_retries = 3
 
[nss]
reconnection_retries = 3
 
[pam]
reconnection_retries = 3
 
[domain/some.domain.com]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
dns_discovery_domain = some.domain.com
ldap_id_mapping = False
cache_credentials = true
ldap_referrals = false
ldap_force_upper_case_realm = true
ad_enable_dns_sites = true
dyndns_update = false
case_sensitive = Preserving
ad_access_filter = DOM:some.domain.com:(<ldap_filter>)
 
 
Here is the /etc/krb5.conf:
 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 kdc_rotate = {
        period = 1d
        versions = 10
 }
 
[libdefaults]
 default_realm = SOME.DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 rdns = false
 forwardable = true
 
[domain_realm]
 .some.domain.com = SOME.DOMAIN.COM
 some.domain.com = SOME.DOMAIN.COM
 
[appdefaults]
 kinit = {
   renewable = true
   forwardable= true
 }
 
 
pam has been configured via authconfig and looks like this:
 
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so
account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so
password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so umask=0022 skel=/etc/skel/
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
 
 
Servers are joined via net ads like this:
net ads join createcomputer="OU=Servers,DC=Some,DC=Domain,DC=com" osName=RHEL osVer=6 -U<admin_user>%<pw>
net ads keytab create -U<admin_user>%<pw>
 
 
OS is RHEL 6.7 with sssd version 1.12.4-47.el6_7.4.
 
Many Thanks in advance,
Christoph