Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1373427
Description of problem: Sometime login via ssh as remote (IPA) user fails with the following error. The issue appears after machine reboot. [sssd[krb5_child[11125]]][11125]: Error constructing AP-REQ armor: Ticket not yet valid [sssd[krb5_child[11125]]][11125]: Error constructing AP-REQ armor: Ticket not yet valid sshd[11123]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=amy@ipa.baseos.qe sshd[11123]: pam_sss(sshd:auth): received for user amy@ipa.baseos.qe: 4 (System error) sshd[11121]: error: PAM: Authentication failure for amy@ipa.baseos.qe from localhost sshd[11126]: pam_sepermit(sshd:auth): Parsing config file: /etc/security/sepermit.conf sshd[11126]: pam_sepermit(sshd:auth): Enforcing mode, access will be allowed on match sshd[11126]: pam_sepermit(sshd:auth): sepermit_match returned: -1 sshd[11121]: Connection closed by 127.0.0.1 [preauth] The issue does not appear all the time and all test machines. I'm not sure if it is sssd or other component. Please help to investigate. Version-Release number of selected component (if applicable): sssd-1.14.0-35.el7.x86_64 pam-1.1.8-18.el7.x86_64 package krb5 is not installed realmd-0.16.1-8.el7.x86_64 How reproducible: ~50% chance on test machines Steps to Reproduce: 1. join to IPA via realmd 2. ssh works 3. reboot 4. ssh does not work Actual results: Expected results: Additional info:
We already convert some error codes like KRB5_KDCREP_SKEW to ERR_NETWORK_IO, I think we should do the same with KRB5KRB_AP_ERR_TKT_EXPIRED and KRB5KRB_AP_ERR_TKT_NYV.
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 review: True => 0 selected: => testsupdated: => 0
Fields changed
owner: somebody => jhrozek patch: 0 => 1 status: new => assigned
milestone: NEEDS_TRIAGE => SSSD 1.14.2
master:
resolution: => fixed status: assigned => closed
Metadata Update from @jhrozek: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.14.2
And related ticket for regression introduced by this patch https://pagure.io/SSSD/sssd/issue/3406
Metadata Update from @lslebodn: - Custom field design_review reset (from 0) - Custom field mark reset (from 0) - Custom field patch adjusted to on (was: 1) - Custom field review reset (from 0) - Custom field sensitive reset (from 0) - Custom field testsupdated reset (from 0)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4207
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.