Bug 1145743 - Access denied for user xxxx: 4 (System error)
Summary: Access denied for user xxxx@domain.com: 4 (System error)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jakub Hrozek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1144561
TreeView+ depends on / blocked
 
Reported: 2014-09-23 15:45 UTC by Stef Walter
Modified: 2014-10-03 03:58 UTC (History)
8 users (show)

Fixed In Version: sssd-1.12.1-2.fc21
Clone Of:
Environment:
Last Closed: 2014-10-03 03:58:21 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Stef Walter 2014-09-23 15:45:13 UTC 
Description of problem:

sssd denies access to users trying to log into the machine, due to "System Error"

Version-Release number of selected component (if applicable):

sssd-1.12.0-7.fc21.x86_64

How reproducible:

Every time

Steps to Reproduce:
1. realm join my-domain.com
2. ssh with known good user from another machine
3. look at journal

Actual results:

Sep 23 17:42:35 jalisco.borg.lan sshd[1264]: fatal: Access denied for user fry by PAM account configuration [preauth]

Expected results:

Logged in

Additional info:

[stef@jalisco ~]$ sudo cat /etc/sssd/sssd.conf

[sssd]
domains = borg.lan
config_file_version = 2
services = nss, pam

[domain/borg.lan]
ad_domain = borg.lan
krb5_realm = BORG.LAN
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
Comment 1 Stef Walter 2014-09-23 15:47:19 UTC 
Work around is to use access_provider = simple
Comment 2 Stef Walter 2014-09-23 15:48:55 UTC 
No additional logs are available in /var/log/sssd :(

[root@jalisco sssd]# ls -l /var/log/sssd
total 0
-rw-------. 1 root root 0 Sep 23 17:41 gpo_child.log
-rw-------. 1 root root 0 Sep 23 17:38 krb5_child.log
-rw-------. 1 root root 0 Sep 23 17:38 ldap_child.log
-rw-------. 1 root root 0 Sep 23 17:38 sssd_borg.lan.log
-rw-------. 1 root root 0 Sep 23 17:38 sssd.log
-rw-------. 1 root root 0 Sep 23 17:38 sssd_nss.log
-rw-------. 1 root root 0 Sep 23 17:38 sssd_pam.log

It seems sssd should log more about a 'System Error' somewhere by default.
Comment 3 Jakub Hrozek 2014-09-23 15:59:22 UTC 
Can you raise debug_level=10 in the domain section and generate the logs again? Chances are the logs we need are sssd_borg.lan.log and krb5_child.log.
Comment 4 Jakub Hrozek 2014-09-23 16:01:19 UTC 
Another workaround might be:
ad_gpo_access_control = disabled

The GPO code is the only part in sssd that changed recently related to access control.
Comment 5 Stephen Gallagher 2014-09-23 18:24:23 UTC 
Stef, do you have any access-control GPOs set up on Windows, or is it relying entirely on the built-in domain defaults?
Comment 6 Stef Walter 2014-09-23 19:10:14 UTC 
Entirely
Comment 7 Fedora Update System 2014-09-23 19:10:25 UTC 
sssd-1.12.1-2.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/FEDORA-2014-10547/sssd-1.12.1-2.fc21
Comment 8 Stef Walter 2014-09-23 19:11:09 UTC 
Entirely fixed with sssd-1.12.1
Comment 9 Fedora Update System 2014-10-03 03:58:21 UTC 
sssd-1.12.1-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.