I guess i naively thought i needed it, but i removed the pam_krb libs from all the system/password auth sections of test machines and things still work as normal.

I still get the same errors on the ro-root machine however:

Oct 31 13:37:13 node48 sshd[5983]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=hugin.biac.duke.edu user=cmp12
Oct 31 13:37:13 node48 sshd[5983]: debug1: PAM: password authentication accepted for cmp12
Oct 31 13:37:13 node48 sshd[5983]: debug1: do_pam_account: called
Oct 31 13:37:13 node48 sshd[5907]: debug2: channel 0: rcvd adjust 49852
Oct 31 13:37:15 node48 sshd[5983]: pam_sss(sshd:account): Access denied for user cmp12: 4 (System error)
Oct 31 13:37:15 node48 sshd[5983]: Failed password for cmp12 from 10.136.52.5 port 38218 ssh2
Oct 31 13:37:15 node48 sshd[5984]: fatal: Access denied for user cmp12 by PAM account configuration

(Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_access_filter_get_access_done] (0x0400): Access granted by online lookup
(Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [cmp12]
(Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x4000): User account control for user [cmp12] is [200].
(Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x4000): Expiration time for user [cmp12] is [9223372036854775807].
(Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success]

Running version 1.9.2:
sssd-1.9.2-82.4.el6_4.x86_64

Thanks,
-Chris

Why do you have pam_krb5 in picture at all?
I am not sure this is the cause of the problem but this seems odd.
What version of SSSD we are talking about?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/