CentOS requires entering password twice for sudo, login
Solution 1:
I don't have enough rep to comment it seems, so this is a bit of a shot in the dark attempt at an answer.
pam_ldap: ldap_starttls_s: Operations error
I have to wonder if this part of your log is indicating the culprit. My suspicion is that your ldap config is mishandling tls in some way that causes the connection to fail.
Notice the responses from each module:
pam_ldap: ldap_starttls_s: Operations error
pam_sss(sshd:account): Access denied for user matt: 10 (User not known to the underlying authentication module)
pam_unix(sshd:session): session opened for user matt by (uid=0)
So what we have here is ldap saying it failed due to error, sss saying it doesn't know who you are, and local auth saying successful.
Directions to consider:
- Are there any errors in the ldap server logs?
- If possible, can you disable TLS and see if that works?
- Does ldapsearch work?