-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/20/2010 10:02 AM, Marcus Moeller wrote: > Hi Stephen. > >>>>>> While trying to use sudo with sssd I got an error like: >>>>>> >>>>>> Aug 9 16:20:41 HOST sudo: pam_sss(sudo:auth): received for user USER: >>>>>> 9 (Authentication service cannot retrieve authentication info) >>>>>> >>>>> >>>>> During authentication, the sssd Kerberos backend returns >>>>> PAM_AUTHINFO_UNAVAIL (which is the error code 9 you are seeing) when the >>>>> KDC is unreachable and cached credentials not available. >>>>> >>>>> Would you mind checking the sssd logs if there is something interesting >>>>> either from the backend process or the krb5_child one? If sssd is >>>>> running as daemon, that would be in /var/log/sss/sssd_$DOMAIN.log or >>>>> /var/log/sss/krb5_child.log. >>>> >>>> This is the only output I got during sudo: >>>> >>>> (Wed Aug 11 13:22:07 2010) [sssd[be[MYDOMAIN]]] [get_server_status] >>>> (7): Status of server 'kdc.mydomain' is 'working' >>>> (Wed Aug 11 13:22:07 2010) [sssd[be[MYDOMAIN]]] [get_port_status] (7): >>>> Port status of port 88 for server 'kdc.mydomain' is 'working' >>>> (Wed Aug 11 13:22:07 2010) [sssd[be[MYDOMAIN]]] [resolve_srv_send] >>>> (6): The status of SRV lookup is resolved >>>> (Wed Aug 11 13:22:07 2010) [sssd[be[MYDOMAIN]]] [get_server_status] >>>> (7): Status of server 'kdc.mydomain' is 'working' >>>> (Wed Aug 11 13:22:07 2010) [sssd[be[MYDOMAIN]]] >>>> [be_resolve_server_done] (4): Found address for server kdc.mydomain: >>>> [192.168.1.201] >>>> (Wed Aug 11 13:22:07 2010) [sssd[be[MYDOMAIN]]] >>>> [be_pam_handler_callback] (4): Backend returned: (1, 9, <NULL>) >>>> [Provider is Offline (Bad file descriptor)] >>> >>> The problem was not related to sssd. Sorry for the noice. >>> >> >> Just to make sure: was this reply related to the sudo thread, or was >> this meant to be a reply to the machine startup thread? >> >> I only ask because this thread is 9 days silent, but we've been talking >> on the other thread this morning. > > Sorry, this one was related to the other thread. > > On the sudo problem I got a little update: groups with no () can be > used successfully. But trying to use a group name like: > > %mygroup\ \(ISG\) > > does not really work. >
Hmm, very interesting. If you do a 'getent group "mygroup (ISG)" at the commandline, do you get it back? I wonder if we have a bug in our communication protocol with the SSSD. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkxui84ACgkQeiVVYja6o6PN4ACeL39mjvExsD1tFO9sGIo9l6Px 668An0ib1AoJ+vUPS2a3xISwcI4L/ZTN =yHZH -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel