On Wed, Feb 11, 2015 at 03:37:13PM +0100, Lukas Slebodnik wrote:
On (11/02/15 13:39), Mullan, Allan wrote:
The logs show the following:
(Wed Feb 11 13:36:33 2015) [sssd[be[UK.CorpLAN.net]]] [simple_resolve_group_done] (0x0040): Refresh failed (Wed Feb 11 13:36:33 2015) [sssd[be[UK.CorpLAN.net]]] [simple_check_get_groups_next] (0x0040): Could not resolve name of group with GID 1749812073 (Wed Feb 11 13:36:33 2015) [sssd[be[UK.CorpLAN.net]]] [simple_access_check_done] (0x0040): Could not collect groups of user testuseramm
The secure log is displaying the following:
Feb 11 13:38:40 uksn-test01 sshd[25114]: pam_sss(sshd:account): Access denied for user testuseramm: 4 (System error)
^^^^^^^^^^^^^^^ It means unexpected error in sssd. It should not happen => it's a bug.
Error code might be result of problem with resolving groups in log file.
We would need to see your sanitized configuration file and log file with higher debug level.
BTW: you did not mention version of sssd.
This is a known bug in the simple access provider: https://fedorahosted.org/sssd/ticket/2519
The fix for #2519 is a workaround around the issue which gets rid of the problem, but doesn't fix the root cause.
It would be nice to see what SID does the group with GID 1749812073 map to and see what is exactly the search that SSSD performs.