pam_sss System error, how to find the problem?
I was using Ubuntu 15.10, but upgraded to 16.04 LTS today. Since the upgrade I can no longer authenticate against our AD. I have tried using as a guide to configure everything from scratch. All worked fine up till the step Test Authentication.
I cannot log in using
su - myusenameWhen I check my auth.log I see the following lines:
Apr 28 12:59:30 PC1899 su[3134]: pam_krb5(su:auth): user myusename authenticated as myusename@DOMAIN
Apr 28 12:59:30 PC1899 su[3134]: (rdconf1.c:744): path to luserconf set to /home/DOMAIN/myusername/.pam_mount.conf.xml
Apr 28 12:59:30 PC1899 su[3134]: (pam_mount.c:365): pam_mount 2.14: entering auth stage
Apr 28 12:59:30 PC1899 su[3134]: pam_sss(su:account): Access denied for user myusername: 4 (System error)
Apr 28 12:59:30 PC1899 su[3134]: pam_acct_mgmt: System error
Apr 28 12:59:30 PC1899 su[3134]: (pam_mount.c:133): clean system authtok=0x55da4f8329c0 (4)
Apr 28 12:59:30 PC1899 su[3134]: FAILED su for myusername by localuserGoogling for the error didn't bring up any leads that I could use.
How can I debug the problem? Or better, get it to work again?
3 Answers
Have a look into /var/log/sssd/gpo_child.log (eventually raise log level beforehand). After the upgrade to 16.04 mine contained errors not being able to create /var/lib/sss/gpo_cache/example.com
mkdir -p /var/lib/sss/gpo_cache/example.com
chown -R sssd:sssd /var/lib/sss/gpo_cacheresolved those and I could su and login using an AD user again.
1Make sure your/etc/sssd/sssd.conf has
use_fully_qualified_domain_name = FalseAlso do the following
realm deny --all
realm permit --groups <>restart sssd and realm
With the excellent pointer from Hmpf I checked the logs at /var/log/sssd/ and realized in gpo_child.log that my machine was not able to fetch the GPOs, which are needed to determine who is authorized to login locally and/or remotely.
My local firewall did not allow outgoing traffic to port 445/tcp (SMB). After my machine was able to fetch the GPOs again, the login errors were gone.
