On Wed, Mar 29, 2017 at 05:12:51PM +0000, Michael Leer wrote: > I getting a weird issue with SSSD, we are using SSSD for AD auth, we are > using ocserv for VPN and it doesn't always appear to check SSSD, I am seeing > it check PAM_unix get the auth failure and then simply return the failure > instead of trying SSSD, if I restart the service then for a few requests will > use PAM_sss (SSSD) and then will begin to simply use pam_unix again > > > When I restart the service it appears to work correctly for a moment > > > Mar 29 16:42:31 ip-10-0-21-4 m[10038]: pam_unix(ocserv:auth): authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost=X.X.X.X user=UserY > Mar 29 16:42:32 ip-10-0-21-4 m[10038]: pam_sss(ocserv:auth): authentication > success; logname= uid=0 euid=0 tty= ruser= rhost=X.X.X.X user=UserY > > > Then it will get the following after a few minutes > > > Mar 29 17:03:03 ip-10-0-21-4 m[10038]: pam_unix(ocserv:auth): authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost=X.X.X.X user=UserX > Mar 29 17:03:05 ip-10-0-21-4 m[10038]: PAM authenticate error: Authentication > failure > Mar 29 17:03:05 ip-10-0-21-4 m[10038]: PAM-auth pam_auth_pass: Authentication > failure
The logs make it look like if pam_sss was never even tried and given that ocserv restart helps, the issue is likely to be either in the pam_sss module or ocserv itself, not in the sssd deamon. how does the PAM service stack for ocserv look like? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org