On Sun, Jan 27, 2013 at 02:23:03PM -0800, C. S. wrote:
Hi folks,
Any help here would be appreciated, I don't seem to see what the issue is. I can login using kinit just fine,
Right, kinit bypasses the PAM stacks and talks directly to the libkrb5 and the kdc.
but sssd fails when using ssh. It seems like it has something to do with the files in /var/lib/sss/pubconf going missing, which causes sssd-krb5 to fail with: Cannot find KDC for requested realm.
Yes, I think so too, but what puzzles me is that resolving went OK, then the kdcinfo files are written. Unfortunately there is no debug output unless there is an error, so we can't see the realm etc.. The "No such file or directory" errors indicate that the krb5info files are indeed missing.
Are there perhaps any AVC denials when the SSSD is attempting to write the kdcinfo files?
Are you sure there is no typo in the realm name? Can you also kinit on the client machine, in other words, if you were testing by ssh testuser@testhost, can you kinit on testhost? What also seems strange to me is that if krb5.conf was configured correctly on the client machine, then I would expect the krb5 child process to use the KDC info from the krb5.conf file..by the time we reach the child process, it's mostly standard krb5 library calls.
This is CentOS 6, sssd-1.8.0-32.el6.x86_64.
e.g. kinit logins works: [testuser@test01 ~]$ kinit Password for testuser@MYREALM.COM: Warning: Your password will expire in 41 days on Sun Mar 10 19:01:44 2013 [testuser@test01 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_501 Default principal: testuser@MYREALM.COM
Valid starting Expires Service principal 01/27/13 22:13:00 01/28/13 08:13:00 krbtgt/MYREALM.COM@MYREALM.COM renew until 02/03/13 22:12:53 [testuser@test01 ~]$
But over ssh:
/var/log/secure: Jan 27 21:57:03 test1 sshd[2882]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.74.34.39 user=testuser Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): system info: [Cannot find KDC for requested realm] Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.74.34.39 user=testuser Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): received for user testuser: 4 (System error) Jan 27 21:57:05 test1 sshd[2882]: Failed password for testuser from 10.74.34.39 port 55143 ssh2 Jan 27 21:57:11 test1 sshd[2883]: Connection closed by 10.74.34.39
sssd -i -d9 + SSSD_KRB5_LOCATOR_DEBUG=1 output:
Thank you for providing the detailed debug logs.