Just upgraded our freeipa 2.2 server to 3.0. 2.2 is what comes with Red Hat 6.3; it was updated to 3.0 with the release of Red Hat 6.4.
Suddenly, some users couldn’t log into a few machines anymore. /var/log/secure gave a system error 4 at pam_sss(sshd:account), but not much else. Ssh with -vvv showed it failing also, about the same place. Thought maybe selinux, so I ran audit2allow, and it caught a couple problems with sssd_t and selinux_config_t. Setenforce 0 fixed it, but even creating a module with everything referenced in the audit log didn’t fix it.
Finally tracked it down to this article mentioning about /etc/selinux/POLICY/logins, so I looked in there (targeted). Looking at ls -Z, and comparing to a system that worked, saw that the type of the directory and files was selinux_config_t, when it should have been selinux_logins_config_t. Running restorecon on the directory reset the type. Then I set selinux back to Enforcing, and everything worked fine.
This was a weird error because it was an selinux error, but within selinux itself, and it didn’t seem to get reported.