I’m hoping someone out there can help with this. I have a system that was installed as Rocky 8.5 and later upgraded to 8.7. SSSD is configured to use Kerberos for auth and LDAP for users/groups. This is the infrastructure we have and it’s been working. I do the configuration via an Ansible playbook.
Since the upgrade to 8.7, users cannot log in with SSH using a password, which is how most of our users access the system. I use an ssh key for passwordless login and that works fine.
The error in the log is “Failed password for dobrie2”. I can’t find anything in the logs that’s an obvious failure (or even a non-obvious one). sssctl shows “KERBEROS: not connected.” A RHEL 8.5 server that’s working displays a message that lists the Kerberos server that’s configured in sssd.conf. SSSD is enumerating users and groups correctly (the “id dobrie2” command works as expected), and I can use kinit to create a Kerberos ticket successfully.
I’ve been on a deep dive of SSSD and PAM and I can’t find a configuration difference between a working system and a non-working system. It feels like a bug or some under-the-hood change to something. I’ve done a fair bit of digging and I can’t quite find anyone else having this issue, or a bug report that seems on-target. I’ve tried reverting to the 8.5 version of SSSD, but that didn’t seem to work. Where I’m at right now is at a clean, unpatched 8.5 install that’s had my standard ansible plays done to the point authentication works. And it works like a charm.
I have NOT yet
- tried upgrading the system to 8.8
- tried upgrading the working 8.5 to a patched 8.5 or 8.7 to see where it breaks
- dug deeper into bug reports to see if anything turns up.
Anyone have a suggestion as to where I should look? I’m going to patch my test system to 8.5-latest, then upgrade to 8.7 and 8.8 so I can confirm where it breaks. I should probably do 8.6, too, just to be thorough.
Thanks in advance.