From 9fc16a8506e95165ee84a174ca931990b7ee49c5 Mon Sep 17 00:00:00 2001
From: Konrad Bucheli <konrad.bucheli@psi.ch>
Date: Thu, 23 Feb 2023 17:03:30 +0100
Subject: [PATCH] document AD join failure

---
 admin-guide/troubleshooting/login.md  | 32 +++++++++++++++++++++++++++
 admin-guide/troubleshooting/login.rst | 28 -----------------------
 2 files changed, 32 insertions(+), 28 deletions(-)
 create mode 100644 admin-guide/troubleshooting/login.md
 delete mode 100644 admin-guide/troubleshooting/login.rst

diff --git a/admin-guide/troubleshooting/login.md b/admin-guide/troubleshooting/login.md
new file mode 100644
index 00000000..41fb8c25
--- /dev/null
+++ b/admin-guide/troubleshooting/login.md
@@ -0,0 +1,32 @@
+#  Login and Remote Access
+
+When a user cannot log in on a system, it is usually caused by one of these:
+
+1. The password is wrong.
+2. Access hasn't been granted through Hiera (`aaa::admins` and `aaa::users`)
+   or `/etc/security/ssh.allow.*`. The latter also has to be enabled in Hiera.
+3. Log in as root is attempted from a system that is not a bastion host (eg
+   `wmgt0*.psi.ch` or `*-gw.psi.ch`).
+4. In the case of Gnome logins, the problem might be caused by the home
+   directory being inaccessible (eg because AFS doesn't work properly).
+5. [`sssd(8)`](https://linux.die.net/man/8/sssd) may have problems.
+
+Regarding #3 note that on some systems the configured bastion host is
+`wmgt*.psi.ch` even though it is not actually possible to log in from there,
+because the PSI firewall only allows connections from a certain gateway, eg
+`foobar-gw.psi.ch`.
+
+## Known Errors
+
+### pam_sss System Error
+```
+pam_sss(sshd:account): Access denied for user xxxxxx_y: 4 (System error)
+```
+Here the AD join might be broken. The machine can be rejoined by deleting/moving away `/etc/krb5.keytab` and then running Puppet (`puppet agent -t`).
+
+## Notes
+
+For normal users there will be a [`pam_access(8)`](https://linux.die.net/man/8/pam_access) error even for
+successful logins. The reason is that we use pam_access twice. First for admins
+and then - depending on the system's configuration - for normal users. Obviously
+the first one will fail unless the user in question is recognized as an admin.
diff --git a/admin-guide/troubleshooting/login.rst b/admin-guide/troubleshooting/login.rst
deleted file mode 100644
index 3b369661..00000000
--- a/admin-guide/troubleshooting/login.rst
+++ /dev/null
@@ -1,28 +0,0 @@
-=========================
- Login and Remote Access
-=========================
-
-When a user cannot log in on a system, it is usually caused by one of these:
-
-1. The password is wrong.
-2. Access hasn't been granted through Hiera (``aaa::admins`` and ``aaa::users``)
-   or ``/etc/security/ssh.allow.*``. The latter also has to be enabled in Hiera.
-3. Log in as root is attempted from a system that is not a bastion host (eg
-   ``wmgt0*.psi.ch`` or ``*-gw.psi.ch``).
-4. In the case of Gnome logins, the problem might be caused by the home
-   directory being inaccessible (eg because AFS doesn't work properly).
-5. :manpage:`sssd(8)` may have problems.
-
-Regarding #3 note that on some systems the configured bastion host is
-``wmgt*.psi.ch`` even though it is not actually possible to log in from there,
-because the PSI firewall only allows connections from a certain gateway, eg
-``foobar-gw.psi.ch``.
-
-
-Notes
-=====
-
-For normal users there will be a :manpage:`pam_access(8)` error even for
-successful logins. The reason is that we use pam_access twice. First for admins
-and then - depending on the system's configuration - for normal users. Obviously
-the first one will fail unless the user in question is recognized as an admin.