Bug 1145743

Summary: Access denied for user xxxx@domain.com: 4 (System error)
Product: [Fedora] Fedora Reporter: Stef Walter <stefw>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: abokovoy, jhrozek, lslebodn, pbrezina, preichl, sbose, sgallagh, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.12.1-2.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-03 03:58:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1144561    

Description Stef Walter 2014-09-23 15:45:13 UTC 
Description of problem:

sssd denies access to users trying to log into the machine, due to "System Error"

Version-Release number of selected component (if applicable):

sssd-1.12.0-7.fc21.x86_64

How reproducible:

Every time

Steps to Reproduce:
1. realm join my-domain.com
2. ssh with known good user from another machine
3. look at journal

Actual results:

Sep 23 17:42:35 jalisco.borg.lan sshd[1264]: fatal: Access denied for user fry by PAM account configuration [preauth]

Expected results:

Logged in

Additional info:

[stef@jalisco ~]$ sudo cat /etc/sssd/sssd.conf

[sssd]
domains = borg.lan
config_file_version = 2
services = nss, pam

[domain/borg.lan]
ad_domain = borg.lan
krb5_realm = BORG.LAN
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
Comment 1 Stef Walter 2014-09-23 15:47:19 UTC 
Work around is to use access_provider = simple
Comment 2 Stef Walter 2014-09-23 15:48:55 UTC 
No additional logs are available in /var/log/sssd :(

[root@jalisco sssd]# ls -l /var/log/sssd
total 0
-rw-------. 1 root root 0 Sep 23 17:41 gpo_child.log
-rw-------. 1 root root 0 Sep 23 17:38 krb5_child.log
-rw-------. 1 root root 0 Sep 23 17:38 ldap_child.log
-rw-------. 1 root root 0 Sep 23 17:38 sssd_borg.lan.log
-rw-------. 1 root root 0 Sep 23 17:38 sssd.log
-rw-------. 1 root root 0 Sep 23 17:38 sssd_nss.log
-rw-------. 1 root root 0 Sep 23 17:38 sssd_pam.log

It seems sssd should log more about a 'System Error' somewhere by default.
Comment 3 Jakub Hrozek 2014-09-23 15:59:22 UTC 
Can you raise debug_level=10 in the domain section and generate the logs again? Chances are the logs we need are sssd_borg.lan.log and krb5_child.log.
Comment 4 Jakub Hrozek 2014-09-23 16:01:19 UTC 
Another workaround might be:
ad_gpo_access_control = disabled

The GPO code is the only part in sssd that changed recently related to access control.
Comment 5 Stephen Gallagher 2014-09-23 18:24:23 UTC 
Stef, do you have any access-control GPOs set up on Windows, or is it relying entirely on the built-in domain defaults?
Comment 6 Stef Walter 2014-09-23 19:10:14 UTC 
Entirely
Comment 7 Fedora Update System 2014-09-23 19:10:25 UTC 
sssd-1.12.1-2.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/FEDORA-2014-10547/sssd-1.12.1-2.fc21
Comment 8 Stef Walter 2014-09-23 19:11:09 UTC 
Entirely fixed with sssd-1.12.1
Comment 9 Fedora Update System 2014-10-03 03:58:21 UTC 
sssd-1.12.1-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.