Monday, September 26, 2016

pam_sss(xxx:auth): received for user jsmith: 4 (System error) SSSD CentOS 6.7/RHEL 6.7

This error is very generic and I found out that it really could be many different things. Luckily every time it got fixed my doing the same thing.
Step 1: Determine if it is truly connected to the domain.
net ads leave domain.local -U jsmith.adm
No realm set, are we joined ?

Step 2: Retry joining domain
net ads join domain.local -U jsmith.adm

I've seen the following error:
libnet_join_ok: failed to get schannel session key from server dc.domain.local for domain DOMAIN. Error was NT_STATUS_NO_TRUST_SAM_ACCOUNT

Failed to join domain: failed to verify domain membership after joining: No trusted SAM account

Possible Fixes:
Double check the krb5.conf file for typos.
service smb restart; service winbind restart; service sssd restart;

I found another problem was that end users that had sudo access actually changed the ownership of the /tmp directory and while joining the domain, the process was able to create the temp files it needed. Here's how I figured it out.

Edit /etc/sssd/sssd.conf in the [domain] and [pam] sections set the value of: debug_level = 8. Restart sssd and log in again. Now check /var/log/sssd/krb5_child.log.

Here was my findings:
[root@box log]# tail sssd/krb5_child.log
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [unpack_buffer] (0x2000): No old ccache
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_569601190_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab]
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [check_use_fast] (0x0100): Not using FAST.
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [check_parent_stat] (0x0020): Private directory can only be created below a directory belonging to root or to [569601190].

(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [create_ccache_dir] (0x0010): Check the ownership and permissions of krb5_ccachedir: [/tmp].

(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [k5c_precreate_ccache] (0x0040): ccache creation failed.
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [k5c_ccache_setup] (0x0040): Cannot precreate ccache
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [privileged_krb5_setup] (0x0020): k5c_ccache_setup failed.
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [main] (0x0020): privileged_krb5_setup failed.
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [main] (0x0020): krb5_child failed!

Another command that help troubleshoot this was:

KRB5_TRACE=/dev/stdout kinit admin

Source: Link Link Link Link Link