On Mon, Mar 22, 2021 at 11:10 PM Konstantin Boyandin via CentOS <centos at centos.org> wrote: > I joined a CentOS 8 box to an AD, using the below document as general > guide: How general? Can you describe what you've done that differed from the guide? > When I comment a line in /etc/pam.d/password-auth (the one commented > below), error goes away: > #account [default=bad success=ok user_unknown=ignore] pam_sss.so Have you checked /var/log/audit/audit.log for AVCs during login? I suspect an SELinux error. > $ cat /etc/krb5.conf > [libdefaults] > default_ccache_name = KEYRING:persistent:%{uid} Specifically, I thought that sssd defaults to KCM storage for kerberos credentials, not the kernel keyring. You might be seeing an SELinux deny due to non-default ccache storage.