On Wed, Dec 02, 2015 at 09:29:46AM -0000, Edouard Guigné wrote:
Hello sssd users,
I configured several fedora 22 x64 workstation with success with sssd against a AD domain. I followed the tutorial at https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server ("Joining the Linux client to the AD domain manually" part).
Last week, I upgrraded my workstation from fedora 22 to fedora 23 x64 (using fedup). I did not change the sssd.conf, krb5.conf and krb5.keytab from fedora 22 to 23.
In all upgraded fedora 23 workstations, users cannot loging anymore. Here is the error i get : sshd[9313]: pam_sss(sshd:account): Access denied for user xxxxx: 4 (System error) sshd[9313]: Failed password for xxxxx from x.x.x.x port 49459 ssh2 audit[9313]: USER_ACCT pid=9313 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=? acct="xxxxx" exe="/usr/sbin/sshd" hostname=x.x.x.x addr=x.x.x.x terminal=ssh res=failed' sshd[9313]: fatal: Access denied for user xxxxx by PAM account configuration [preauth] ...
Although, users can still loging in fedora 22 workstations.
System Error means something like "an unhandled exception" in the sssd code. The best way would be to take a look into the SSSD logs, in particular the domain logs and krb5_child.log.
Here is a document that describes how to obtain the logs: https://fedorahosted.org/sssd/wiki/Troubleshooting
Feel free to send them privately if you are concerned about sensitive data.