I recently updated a Fedora 22 workstation and SSSD logins began to fail.
Logs look good until sss_send_pac fails. Oddly the principal user is getting the domain added twice. For example:
jgiotta\@I'm not sure what debuggin steps to take at this point. Joining the realm and performing ldapsearch commands are all successful.
Authentication is provided by an Active Directory system on a larger Windows-based network.
When I step up logging output in sssd.conf to level 10 I can review the krb5_child.log. I find the following failure in the log:
(Thu Dec 3 09:22:36 2015) [[sssd[krb5_child[2158]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]
(Thu Dec 3 09:22:36 2015) [[sssd[krb5_child[2158]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [jgiotta\@] might not be correct.
When this occurs I believe login fails, but terminal only says "System error" at login. At this moment, I'm essentially locked out of my profile and can only access via root.
31 Answer
Years late, but for the Internet searchers:
In CentOS 7 as of now (and probably for a while now, really), there is an option in sssd.conf:
use_fully_qualified_names (bool) Use the full name and domain (as formatted by the domain's full_name_format) as the user's login name reported to NSS.I was struggling with the duplicated domain name in my kerberos request for xrdp and after a lot of effort learned that explicitly setting this to false even though that's the default made a difference.
sssd.conf
[domain/magic.local]
use_fully_qualified_names = false
