<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/29/2014 02:20 PM, Scott Allen
wrote:<br>
</div>
<blockquote
cite="mid:CAATq_wXaCR-hQ+B1EkVPGkhF8kKeD49vLfo_TjV87RPTQvp2wg@mail.gmail.com"
type="cite">
<div dir="ltr"><span
style="font-family:arial,sans-serif;font-size:13px">Hi, </span>
<div style="font-family:arial,sans-serif;font-size:13px">Having
a particularly weird problem. We have moved from AD to freeIPA
recently and while there have been some bumps, most of the
CentOS 6.2 boxes make the transition successfully. Some
background.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div style="font-family:arial,sans-serif;font-size:13px">The
Linux boxes were joined to AD on Windows 2008R2 using
samba/winbind. When we moved from AD, boxes were not "removed"
from AD, just disabled on the server side. We scripted the
necessary bits since we were moving to a new subnet as well.
The script runs "ipa-client-install -p admin --password
PASSWORD --enable-dns-updates -U"</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div style="font-family:arial,sans-serif;font-size:13px">The
machines were joined successfully to freeIPA and then added to
allow_all_hosts Host Group.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div style="font-family:arial,sans-serif;font-size:13px">On a
workstation that was migrated, all users can successfully log
in.</div>
<div style="font-family:arial,sans-serif;font-size:13px">
On a fresh install of CentOS6.2, only myself (admin_user) and
a newly created user (foo) can successfully log in.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div style="font-family:arial,sans-serif;font-size:13px">
On this fresh install, 'david' is blocked but new user 'foo'
is allowed.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div style="font-family:arial,sans-serif;font-size:13px">
<div>
May 29 09:20:29 embassy419 polkitd(authority=local):
Registered Authentication Agent for session
/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26
[/usr/libexec/polkit-gnome-authentication-agent-1], object
path /org/gnome/PolicyKit1/AuthenticationAgent, locale
en_US.UTF-8)</div>
<div>May 29 09:20:46 embassy419 pam: gdm-password[2910]:
pam_unix(gdm-password:auth): authentication failure;
logname= uid=0 euid=0 tty=:0 ruser= rhost= user=david</div>
<div>May 29 09:20:47 embassy419 pam: gdm-password[2910]:
pam_sss(gdm-password:auth): system info: [Preauthentication
failed]</div>
<div>May 29 09:20:47 embassy419 pam: gdm-password[2910]:
pam_sss(gdm-password:auth): authentication failure; logname=
uid=0 euid=0 tty=:0 ruser= rhost= user=david</div>
<div>May 29 09:20:47 embassy419 pam: gdm-password[2910]:
pam_sss(gdm-password:auth): received for user david: 17
(Failure setting user credentials)</div>
<div>May 29 10:44:06 embassy419 polkitd(authority=local):
Registered Authentication Agent for session
/org/freedesktop/ConsoleKit/Session3 (system bus name :1.88
[/usr/libexec/polkit-gnome-authentication-agent-1], object
path /org/gnome/PolicyKit1/AuthenticationAgent, locale
en_US.UTF-8)</div>
<div>May 29 10:44:13 embassy419 pam: gdm-password[3956]:
pam_unix(gdm-password:auth): authentication failure;
logname= uid=0 euid=0 tty=:1 ruser= rhost= user=foo</div>
<div>May 29 10:44:14 embassy419 pam: gdm-password[3956]:
pam_sss(gdm-password:auth): authentication success; logname=
uid=0 euid=0 tty=:1 ruser= rhost= user=foo</div>
<div>May 29 10:44:14 embassy419 pam: gdm-password[3956]:
pam_unix(gdm-password:session): session opened for user foo
by (uid=0)</div>
<div>May 29 10:44:15 embassy419 polkitd(authority=local):
Unregistered Authentication Agent for session
/org/freedesktop/ConsoleKit/Session3 (system bus name :1.88,
object path /org/gnome/PolicyKit1/AuthenticationAgent,
locale en_US.UTF-8) (disconnected from bus)</div>
<div><br>
</div>
<div>But on this machine that was migrated.</div>
<div>
<div>pam: gdm-password[14145]: pam_unix(gdm-password:auth):
authentication failure; logname= uid=0 euid=0 tty=:1
ruser= rhost= user=david</div>
<div>May 29 10:42:08 Embassy426 pam: gdm-password[14145]:
pam_sss(gdm-password:auth): system info:
[Preauthentication failed]</div>
<div>May 29 10:42:08 Embassy426 pam: gdm-password[14145]:
pam_sss(gdm-password:auth): authentication failure;
logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david</div>
<div>May 29 10:42:08 Embassy426 pam: gdm-password[14145]:
pam_sss(gdm-password:auth): received for user david: 17
(Failure setting user credentials)</div>
<div>May 29 10:42:08 Embassy426 pam: gdm-password[14145]:
pam_winbind(gdm-password:auth): getting password
(0x00000010)</div>
<div>May 29 10:42:08 Embassy426 pam: gdm-password[14145]:
pam_winbind(gdm-password:auth): pam_get_item returned a
password</div>
<div>May 29 10:42:09 Embassy426 pam: gdm-password[14145]:
pam_winbind(gdm-password:auth): user 'david' granted
access</div>
<div>May 29 10:42:09 Embassy426 pam: gdm-password[14145]:
pam_winbind(gdm-password:account): valid_user: wbcGetpwnam
gave WBC_ERR_DOMAIN_NOT_FOUND</div>
<div>May 29 10:42:10 Embassy426 pam: gdm-password[14145]:
pam_unix(gdm-password:session): session opened for user
david by (uid=0)</div>
<div>May 29 10:42:10 Embassy426 polkitd(authority=local):
Unregistered Authentication Agent for session
/org/freedesktop/ConsoleKit/Session3 (system bus name
:1.85, object path
/org/gnome/PolicyKit1/AuthenticationAgent, locale
en_US.UTF-8) (disconnected from bus)</div>
<div>May 29 10:42:11 Embassy426 polkitd(authority=local):
Registered Authentication Agent for session
/org/freedesktop/ConsoleKit/Session4 (system bus name
:1.105 [/usr/libexec/polkit-gnome-authentication-agent-1],
object path /org/gnome/PolicyKit1/AuthenticationAgent,
locale en_US.UTF-8)</div>
<div>May 29 10:42:56 Embassy426 pam: gdm-password[15052]:
pam_unix(gdm-password:auth): authentication failure;
logname= uid=0 euid=0 tty=:3 ruser= rhost= user=foo</div>
<div>May 29 10:42:57 Embassy426 pam: gdm-password[15052]:
pam_sss(gdm-password:auth): authentication success;
logname= uid=0 euid=0 tty=:3 ruser= rhost= user=foo</div>
<div>May 29 10:42:57 Embassy426 pam: gdm-password[15052]:
pam_winbind(gdm-password:account): valid_user: wbcGetpwnam
gave WBC_ERR_DOMAIN_NOT_FOUND</div>
<div>May 29 10:42:59 Embassy426 pam: gdm-password[15052]:
pam_unix(gdm-password:session): session opened for user
foo by (uid=0)</div>
<div>May 29 10:42:59 Embassy426 polkitd(authority=local):
Unregistered Authentication Agent for session
/org/freedesktop/ConsoleKit/Session7 (system bus name
:1.160, object path
/org/gnome/PolicyKit1/AuthenticationAgent, locale
en_US.UTF-8) (disconnected from bus)</div>
<div>May 29 10:42:59 Embassy426 polkitd(authority=local):
Registered Authentication Agent for session
/org/freedesktop/ConsoleKit/Session8 (system bus name
:1.175 [/usr/libexec/polkit-gnome-authentication-agent-1],
object path /org/gnome/PolicyKit1/AuthenticationAgent,
locale en_US.UTF-8)</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>The dirserv says this about david from the broken PC</div>
<div><br>
</div>
<div>
<div>[29/May/2014:09:20:46 -0700] conn=8 op=1526 SRCH
base="dc=embassy,dc=vfx" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincip</div>
<div>al))(|(<a class="moz-txt-link-abbreviated" href="mailto:ipaKrbPrincipalAlias=david@EMBASSY.VFX">ipaKrbPrincipalAlias=david@EMBASSY.VFX</a>)(<a class="moz-txt-link-abbreviated" href="mailto:krbPrincipalName=david@EMBASSY.VFX">krbPrincipalName=david@EMBASSY.VFX</a>)))"
attrs="krbPrincipalName krbCanonicalName
ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKe</div>
<div>y krbTicketPolicyReference krbPrincipalExpiration
krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSucces</div>
<div>sfulAuth krbLastFailedAuth krbLoginFailedCount
krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHis</div>
<div>tory objectClass"</div>
<div>
[29/May/2014:09:20:46 -0700] conn=8 op=1526 RESULT err=0
tag=101 nentries=1 etime=0</div>
<div>[29/May/2014:09:20:46 -0700] conn=8 op=1527 SRCH
base="cn=EMBASSY.VFX,cn=kerberos,dc=embassy,dc=vfx"
scope=0 filter="(objectClass=krbticketpolicyaux)"
attrs="krbMaxTicketLife</div>
<div>krbMaxRenewableAge krbTicketFlags"</div>
<div>[29/May/2014:09:20:46 -0700] conn=8 op=1527 RESULT
err=0 tag=101 nentries=1 etime=0</div>
<div>[29/May/2014:09:20:46 -0700] conn=8 op=1528 SRCH
base="dc=embassy,dc=vfx" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincip</div>
<div>al))(|(<a class="moz-txt-link-abbreviated" href="mailto:ipaKrbPrincipalAlias=krbtgt/EMBASSY.VFX@EMBASSY.VFX">ipaKrbPrincipalAlias=krbtgt/EMBASSY.VFX@EMBASSY.VFX</a>)(<a class="moz-txt-link-abbreviated" href="mailto:krbPrincipalName=krbtgt/EMBASSY.VFX@EMBASSY.VFX">krbPrincipalName=krbtgt/EMBASSY.VFX@EMBASSY.VFX</a>)))"
attrs="krbPrincipalName krbCanonicalName
ipaKrbPrincipalAlias k</div>
<div>rbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory
krbLastPwdChange krbPrin</div>
<div>cipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge</div>
<div> nsAccountLock passwordHistory objectClass"</div>
<div>[29/May/2014:09:20:46 -0700] conn=8 op=1528 RESULT
err=0 tag=101 nentries=1 etime=0</div>
<div>[29/May/2014:09:20:46 -0700] conn=8 op=1529 SRCH
base="cn=global_policy,cn=EMBASSY.VFX,cn=kerberos,dc=embassy,dc=vfx"
scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krb</div>
<div>MinPwdLife krbPwdMinDiffChars krbPwdMinLength
krbPwdHistoryLength krbPwdMaxFailure
krbPwdFailureCountInterval krbPwdLockoutDuration"</div>
<div>[29/May/2014:09:20:46 -0700] conn=8 op=1529 RESULT
err=0 tag=101 nentries=1 etime=0</div>
<div>[29/May/2014:09:20:46 -0700] conn=8 op=1530 MOD
dn="uid=david,cn=users,cn=accounts,dc=embassy,dc=vfx"</div>
<div>[29/May/2014:09:20:46 -0700] conn=8 op=1530 RESULT
err=0 tag=103 nentries=0 etime=0 csn=53875e73000000030000</div>
</div>
<div><br>
</div>
<div>From a Migrated working machine (more debugging turned
on)</div>
<div>
<div>[29/May/2014:10:42:04 -0700] conn=72 op=14 SRCH
base="cn=accounts,dc=embassy,dc=vfx" scope=2
filter="(&(uid=david)(objectClass=posixAccount))"
attrs="objectClass uid userPassword uidNumber gidNumber
gecos homeDirectory loginShell krbPrincipalName cn
memberOf nsUniqueId modifyTimestamp entryusn
shadowLastChange shadowMin shadowMax shadowWarning
shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdattribute authorizedService
accountexpires useraccountcontrol nsAccountLock host
logindisabled loginexpirationtime loginallowedtimemap
ipaSshPubKey"</div>
<div>[29/May/2014:10:42:04 -0700] conn=72 op=14 RESULT err=0
tag=101 nentries=1 etime=0</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=15 SRCH
base="cn=accounts,dc=embassy,dc=vfx" scope=2
filter="(&(uid=david)(objectClass=posixAccount))"
attrs="objectClass uid userPassword uidNumber gidNumber
gecos homeDirectory loginShell krbPrincipalName cn
memberOf nsUniqueId modifyTimestamp entryusn
shadowLastChange shadowMin shadowMax shadowWarning
shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdattribute authorizedService
accountexpires useraccountcontrol nsAccountLock host
logindisabled loginexpirationtime loginallowedtimemap
ipaSshPubKey"</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=15 RESULT err=0
tag=101 nentries=1 etime=0</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=16 SRCH
base="cn=ipausers,cn=groups,cn=accounts,dc=embassy,dc=vfx"
scope=0 filter="(&(objectClass=posixGroup)(cn=*))"
attrs="objectClass cn userPassword gidNumber member
nsUniqueId modifyTimestamp entryusn"</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=16 RESULT err=0
tag=101 nentries=0 etime=0</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=17 SRCH
base="cn=emb_users,cn=groups,cn=accounts,dc=embassy,dc=vfx"
scope=0 filter="(&(objectClass=posixGroup)(cn=*))"
attrs="objectClass cn userPassword gidNumber member
nsUniqueId modifyTimestamp entryusn"</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=17 RESULT err=0
tag=101 nentries=1 etime=0</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=18 SRCH
base="cn=etc,dc=embassy,dc=vfx" scope=2
filter="(&(cn=ipaConfig)(objectClass=ipaGuiConfig))"
attrs="ipaMigrationEnabled ipaSELinuxUserMapDefault
ipaSELinuxUserMapOrder"</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=18 RESULT err=0
tag=101 nentries=1 etime=0</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=19 SRCH
base="cn=accounts,dc=embassy,dc=vfx" scope=2
filter="(&(objectClass=ipaHost)(fqdn=embassy426.embassy.vfx))"
attrs="objectClass cn fqdn serverHostName memberOf
ipaSshPubKey ipaUniqueID"</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=19 RESULT err=0
tag=101 nentries=1 etime=0 notes=P</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=20 SRCH
base="fqdn=embassy426.embassy.vfx,cn=computers,cn=accounts,dc=embassy,dc=vfx"
scope=0 filter="(objectClass=*)" attrs="objectClass cn
memberOf ipaUniqueID"</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=20 RESULT err=0
tag=101 nentries=1 etime=0 notes=P</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=21 SRCH
base="cn=hbac,dc=embassy,dc=vfx" scope=2
filter="(objectClass=ipaHBACService)" attrs="objectClass
cn ipaUniqueID member memberOf"</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=21 RESULT err=0
tag=101 nentries=15 etime=0 notes=P</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=22 SRCH
base="cn=hbac,dc=embassy,dc=vfx" scope=2
filter="(objectClass=ipaHBACServiceGroup)"
attrs="objectClass cn ipaUniqueID member memberOf"</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=22 RESULT err=0
tag=101 nentries=2 etime=0 notes=P</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=23 SRCH
base="cn=hbac,dc=embassy,dc=vfx" scope=2
filter="(&(objectClass=ipaHBACRule)(ipaEnabledFlag=TRUE)(|(hostCategory=all)(memberHost=fqdn=embassy426.embassy.vfx,cn=computers,cn=accounts,dc=embassy,dc=vfx)(memberHost=cn=allow_all_hosts,cn=hostgroups,cn=accounts,dc=embassy,dc=vfx)(memberHost=cn=allow_all_hosts,cn=ng,cn=alt,dc=embassy,dc=vfx)(memberHost=ipauniqueid=6e07ee2e-d495-11e3-9c3b-00304881a4bc,cn=hbac,dc=embassy,dc=vfx)))"
attrs="objectClass cn ipaUniqueID ipaEnabledFlag
accessRuleType memberUser userCategory memberService
serviceCategory sourceHost sourceHostCategory externalHost
memberHost hostCategory"</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=23 RESULT err=0
tag=101 nentries=1 etime=0 notes=P</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=24 SRCH
base="cn=etc,dc=embassy,dc=vfx" scope=2
filter="(&(cn=ipaConfig)(objectClass=ipaGuiConfig))"
attrs="ipaMigrationEnabled ipaSELinuxUserMapDefault
ipaSELinuxUserMapOrder"</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=24 RESULT err=0
tag=101 nentries=1 etime=0</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=25 SRCH
base="cn=selinux,dc=embassy,dc=vfx" scope=2
filter="(&(objectClass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))"
attrs="objectClass cn memberUser memberHost seeAlso
ipaSELinuxUser ipaEnabledFlag userCategory hostCategory
ipaUniqueID"</div>
<div>[29/May/2014:10:42:08 -0700] conn=72 op=25 RESULT err=0
tag=101 nentries=0 etime=0 notes=P</div>
<div>[29/May/2014:10:42:09 -0700] conn=72 op=26 SRCH
base="cn=accounts,dc=embassy,dc=vfx" scope=2
filter="(&(cn=pulse-rt)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"
attrs="objectClass cn userPassword gidNumber member
nsUniqueId modifyTimestamp entryusn"</div>
<div>[29/May/2014:10:42:09 -0700] conn=72 op=26 RESULT err=0
tag=101 nentries=0 etime=1</div>
<div>[29/May/2014:10:42:09 -0700] conn=72 op=27 SRCH
base="cn=accounts,dc=embassy,dc=vfx" scope=2
filter="(&(gidNumber=16777729)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"
attrs="objectClass cn userPassword gidNumber member
nsUniqueId modifyTimestamp entryusn"</div>
<div>[29/May/2014:10:42:09 -0700] conn=72 op=27 RESULT err=0
tag=101 nentries=1 etime=0</div>
<div>[29/May/2014:10:42:09 -0700] conn=72 op=28 SRCH
base="cn=emb_users,cn=groups,cn=accounts,dc=embassy,dc=vfx"
scope=0 filter="(objectClass=*)" attrs="objectClass cn
userPassword gidNumber member nsUniqueId modifyTimestamp
entryusn uid"</div>
<div>[29/May/2014:10:42:09 -0700] conn=72 op=28 RESULT err=0
tag=101 nentries=1 etime=0 notes=P</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>I can see that winbind is somehow involved but</div>
<div>1) Both machines are disabled in AD</div>
<div>2) The new user 'foo' is not in AD but can still log in</div>
<div><br>
</div>
<div>I have tried copying over the pam.d folder from a working
PC with no luck as well.</div>
<div>The weird part is the migrated machine behaves "better"
than the clean install.....</div>
<div>Anything leap out? I can send more info if required.</div>
<div><br>
</div>
</div>
</div>
</blockquote>
<br>
With david auth goes to IPA and fails somehow. Check Kerberos logs.
That might have some hints. May be it is because the password needs
to be changed for him after migration. Since you have winbind in the
stack still it kicks in and tries. Authentication seems to work
because it is just Kerberos but the authorization fails so user
can't log in.<br>
User foo was properly created so he can authenticate.<br>
I suspect that migration was not properly completed. Please check
documentation about migration.<br>
<br>
<br>
<blockquote
cite="mid:CAATq_wXaCR-hQ+B1EkVPGkhF8kKeD49vLfo_TjV87RPTQvp2wg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="font-family:arial,sans-serif;font-size:13px">
<div><br>
</div>
<div>Thanks</div>
<div>Scott A</div>
</div>
<div><br>
</div>
-- <br>
Scott Allen<br>
Head of IT<br>
The Embassy Visual Effects Inc.<br>
4th Floor - 177 W 7th Avenue<br>
Vancouver, B.C.<br>
V5Y 1L8<br>
604.696.6862 ext 241
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>