> On 23 Aug 2018, at 17:36, Kat via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Hi all - > > So this is something I found and wanted to post it to the team - this is for > RHEL and/or CentOS 7.3 thru 5 so far. It has to do with selinux_provider and > having to explicitly disable it in sssd or things will randomly fail. > > On heavily loaded clients, (and a fair load on IPA cluster) you find that > even if a client has selinux disabled (sometimes because of application > requirements) that ssh access is still randomly denied because of selinux > failures. You need to explicitly add selinux_provider=none to sssd.conf to > avoid seeing these: > > sshd[58319]: fatal: Access denied for user xxxxxxxx by PAM account > configuration [preauth] > sshd[58319]: pam_sss(sshd:account): Access denied for user xxxxxxxx: 4 > (System error) > > If you look in detail you find that the authentication actually works but > when it is sent back to the client, there are random failures for the same > username from time to time. It all seems to be load related, as I have been > unable to find a root cause. An example is that I have a looping ssh job to > just login, create a folder and exit - all via ssh keys. If you run that for > a few hours with a few seconds interval, you find that out of 1000+ > successes, you might see 20-30 random "Access Denied". > > This was confusing at first because sshd only returns that the authentication > failed without any details (return code is 255) but looking in detailed logs > finds the random errors as show above. This all connects back with the errors > I reported last week regarding the same thing and that I felt it was related > to DNS and other settings - it was not. > > Hope this helps someone else.. >
Do you happen to have the selinux_child.log for those failures? There was a bug where, if selinux called any of the NSS functions (e.g. getpwnam()) the user lookup might have failed because we normally prevent parts of SSSD to call back to sss_nss to avoid loops. This is a legit case, but we forgot to permit the loops. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/4A3OOXQ26CKU2YE6M5DIVUOM6XIHAUDS/