<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 05/29/2014 02:20 PM, Scott Allen wrote:<br> </div> <blockquote cite="mid:CAATq_wXaCR-hQ+B1EkVPGkhF8kKeD49vLfo_TjV87RPTQvp2wg@mail.gmail.com" type="cite"> <div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">Hi, </span> <div style="font-family:arial,sans-serif;font-size:13px">Having a particularly weird problem. We have moved from AD to freeIPA recently and while there have been some bumps, most of the CentOS 6.2 boxes make the transition successfully. Some background.</div> <div style="font-family:arial,sans-serif;font-size:13px"><br> </div> <div style="font-family:arial,sans-serif;font-size:13px">The Linux boxes were joined to AD on Windows 2008R2 using samba/winbind. When we moved from AD, boxes were not "removed" from AD, just disabled on the server side. We scripted the necessary bits since we were moving to a new subnet as well. The script runs "ipa-client-install -p admin --password PASSWORD --enable-dns-updates -U"</div> <div style="font-family:arial,sans-serif;font-size:13px"><br> </div> <div style="font-family:arial,sans-serif;font-size:13px">The machines were joined successfully to freeIPA and then added to allow_all_hosts Host Group.</div> <div style="font-family:arial,sans-serif;font-size:13px"><br> </div> <div style="font-family:arial,sans-serif;font-size:13px">On a workstation that was migrated, all users can successfully log in.</div> <div style="font-family:arial,sans-serif;font-size:13px"> On a fresh install of CentOS6.2, only myself (admin_user) and a newly created user (foo) can successfully log in.</div> <div style="font-family:arial,sans-serif;font-size:13px"><br> </div> <div style="font-family:arial,sans-serif;font-size:13px"> On this fresh install, 'david' is blocked but new user 'foo' is allowed.</div> <div style="font-family:arial,sans-serif;font-size:13px"><br> </div> <div style="font-family:arial,sans-serif;font-size:13px"> <div> May 29 09:20:29 embassy419 polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 (system bus name :1.26 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)</div> <div>May 29 09:20:46 embassy419 pam: gdm-password[2910]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=david</div> <div>May 29 09:20:47 embassy419 pam: gdm-password[2910]: pam_sss(gdm-password:auth): system info: [Preauthentication failed]</div> <div>May 29 09:20:47 embassy419 pam: gdm-password[2910]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=david</div> <div>May 29 09:20:47 embassy419 pam: gdm-password[2910]: pam_sss(gdm-password:auth): received for user david: 17 (Failure setting user credentials)</div> <div>May 29 10:44:06 embassy419 polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 (system bus name :1.88 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)</div> <div>May 29 10:44:13 embassy419 pam: gdm-password[3956]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=foo</div> <div>May 29 10:44:14 embassy419 pam: gdm-password[3956]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=foo</div> <div>May 29 10:44:14 embassy419 pam: gdm-password[3956]: pam_unix(gdm-password:session): session opened for user foo by (uid=0)</div> <div>May 29 10:44:15 embassy419 polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 (system bus name :1.88, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)</div> <div><br> </div> <div>But on this machine that was migrated.</div> <div> <div>pam: gdm-password[14145]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david</div> <div>May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_sss(gdm-password:auth): system info: [Preauthentication failed]</div> <div>May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david</div> <div>May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_sss(gdm-password:auth): received for user david: 17 (Failure setting user credentials)</div> <div>May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_winbind(gdm-password:auth): getting password (0x00000010)</div> <div>May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_winbind(gdm-password:auth): pam_get_item returned a password</div> <div>May 29 10:42:09 Embassy426 pam: gdm-password[14145]: pam_winbind(gdm-password:auth): user 'david' granted access</div> <div>May 29 10:42:09 Embassy426 pam: gdm-password[14145]: pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND</div> <div>May 29 10:42:10 Embassy426 pam: gdm-password[14145]: pam_unix(gdm-password:session): session opened for user david by (uid=0)</div> <div>May 29 10:42:10 Embassy426 polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 (system bus name :1.85, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)</div> <div>May 29 10:42:11 Embassy426 polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session4 (system bus name :1.105 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)</div> <div>May 29 10:42:56 Embassy426 pam: gdm-password[15052]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:3 ruser= rhost= user=foo</div> <div>May 29 10:42:57 Embassy426 pam: gdm-password[15052]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=:3 ruser= rhost= user=foo</div> <div>May 29 10:42:57 Embassy426 pam: gdm-password[15052]: pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND</div> <div>May 29 10:42:59 Embassy426 pam: gdm-password[15052]: pam_unix(gdm-password:session): session opened for user foo by (uid=0)</div> <div>May 29 10:42:59 Embassy426 polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session7 (system bus name :1.160, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)</div> <div>May 29 10:42:59 Embassy426 polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session8 (system bus name :1.175 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)</div> </div> <div><br> </div> <div><br> </div> <div>The dirserv says this about david from the broken PC</div> <div><br> </div> <div> <div>[29/May/2014:09:20:46 -0700] conn=8 op=1526 SRCH base="dc=embassy,dc=vfx" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincip</div> <div>al))(|(<a class="moz-txt-link-abbreviated" href="mailto:ipaKrbPrincipalAlias=david@EMBASSY.VFX">ipaKrbPrincipalAlias=david@EMBASSY.VFX</a>)(<a class="moz-txt-link-abbreviated" href="mailto:krbPrincipalName=david@EMBASSY.VFX">krbPrincipalName=david@EMBASSY.VFX</a>)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKe</div> <div>y krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSucces</div> <div>sfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHis</div> <div>tory objectClass"</div> <div> [29/May/2014:09:20:46 -0700] conn=8 op=1526 RESULT err=0 tag=101 nentries=1 etime=0</div> <div>[29/May/2014:09:20:46 -0700] conn=8 op=1527 SRCH base="cn=EMBASSY.VFX,cn=kerberos,dc=embassy,dc=vfx" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife</div> <div>krbMaxRenewableAge krbTicketFlags"</div> <div>[29/May/2014:09:20:46 -0700] conn=8 op=1527 RESULT err=0 tag=101 nentries=1 etime=0</div> <div>[29/May/2014:09:20:46 -0700] conn=8 op=1528 SRCH base="dc=embassy,dc=vfx" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincip</div> <div>al))(|(<a class="moz-txt-link-abbreviated" href="mailto:ipaKrbPrincipalAlias=krbtgt/EMBASSY.VFX@EMBASSY.VFX">ipaKrbPrincipalAlias=krbtgt/EMBASSY.VFX@EMBASSY.VFX</a>)(<a class="moz-txt-link-abbreviated" href="mailto:krbPrincipalName=krbtgt/EMBASSY.VFX@EMBASSY.VFX">krbPrincipalName=krbtgt/EMBASSY.VFX@EMBASSY.VFX</a>)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias k</div> <div>rbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrin</div> <div>cipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge</div> <div> nsAccountLock passwordHistory objectClass"</div> <div>[29/May/2014:09:20:46 -0700] conn=8 op=1528 RESULT err=0 tag=101 nentries=1 etime=0</div> <div>[29/May/2014:09:20:46 -0700] conn=8 op=1529 SRCH base="cn=global_policy,cn=EMBASSY.VFX,cn=kerberos,dc=embassy,dc=vfx" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krb</div> <div>MinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration"</div> <div>[29/May/2014:09:20:46 -0700] conn=8 op=1529 RESULT err=0 tag=101 nentries=1 etime=0</div> <div>[29/May/2014:09:20:46 -0700] conn=8 op=1530 MOD dn="uid=david,cn=users,cn=accounts,dc=embassy,dc=vfx"</div> <div>[29/May/2014:09:20:46 -0700] conn=8 op=1530 RESULT err=0 tag=103 nentries=0 etime=0 csn=53875e73000000030000</div> </div> <div><br> </div> <div>From a Migrated working machine (more debugging turned on)</div> <div> <div>[29/May/2014:10:42:04 -0700] conn=72 op=14 SRCH base="cn=accounts,dc=embassy,dc=vfx" scope=2 filter="(&(uid=david)(objectClass=posixAccount))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey"</div> <div>[29/May/2014:10:42:04 -0700] conn=72 op=14 RESULT err=0 tag=101 nentries=1 etime=0</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=15 SRCH base="cn=accounts,dc=embassy,dc=vfx" scope=2 filter="(&(uid=david)(objectClass=posixAccount))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey"</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=15 RESULT err=0 tag=101 nentries=1 etime=0</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=16 SRCH base="cn=ipausers,cn=groups,cn=accounts,dc=embassy,dc=vfx" scope=0 filter="(&(objectClass=posixGroup)(cn=*))" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp entryusn"</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=16 RESULT err=0 tag=101 nentries=0 etime=0</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=17 SRCH base="cn=emb_users,cn=groups,cn=accounts,dc=embassy,dc=vfx" scope=0 filter="(&(objectClass=posixGroup)(cn=*))" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp entryusn"</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=17 RESULT err=0 tag=101 nentries=1 etime=0</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=18 SRCH base="cn=etc,dc=embassy,dc=vfx" scope=2 filter="(&(cn=ipaConfig)(objectClass=ipaGuiConfig))" attrs="ipaMigrationEnabled ipaSELinuxUserMapDefault ipaSELinuxUserMapOrder"</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=18 RESULT err=0 tag=101 nentries=1 etime=0</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=19 SRCH base="cn=accounts,dc=embassy,dc=vfx" scope=2 filter="(&(objectClass=ipaHost)(fqdn=embassy426.embassy.vfx))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=19 RESULT err=0 tag=101 nentries=1 etime=0 notes=P</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=20 SRCH base="fqdn=embassy426.embassy.vfx,cn=computers,cn=accounts,dc=embassy,dc=vfx" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID"</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=20 RESULT err=0 tag=101 nentries=1 etime=0 notes=P</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=21 SRCH base="cn=hbac,dc=embassy,dc=vfx" scope=2 filter="(objectClass=ipaHBACService)" attrs="objectClass cn ipaUniqueID member memberOf"</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=21 RESULT err=0 tag=101 nentries=15 etime=0 notes=P</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=22 SRCH base="cn=hbac,dc=embassy,dc=vfx" scope=2 filter="(objectClass=ipaHBACServiceGroup)" attrs="objectClass cn ipaUniqueID member memberOf"</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=22 RESULT err=0 tag=101 nentries=2 etime=0 notes=P</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=23 SRCH base="cn=hbac,dc=embassy,dc=vfx" scope=2 filter="(&(objectClass=ipaHBACRule)(ipaEnabledFlag=TRUE)(|(hostCategory=all)(memberHost=fqdn=embassy426.embassy.vfx,cn=computers,cn=accounts,dc=embassy,dc=vfx)(memberHost=cn=allow_all_hosts,cn=hostgroups,cn=accounts,dc=embassy,dc=vfx)(memberHost=cn=allow_all_hosts,cn=ng,cn=alt,dc=embassy,dc=vfx)(memberHost=ipauniqueid=6e07ee2e-d495-11e3-9c3b-00304881a4bc,cn=hbac,dc=embassy,dc=vfx)))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag accessRuleType memberUser userCategory memberService serviceCategory sourceHost sourceHostCategory externalHost memberHost hostCategory"</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=23 RESULT err=0 tag=101 nentries=1 etime=0 notes=P</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=24 SRCH base="cn=etc,dc=embassy,dc=vfx" scope=2 filter="(&(cn=ipaConfig)(objectClass=ipaGuiConfig))" attrs="ipaMigrationEnabled ipaSELinuxUserMapDefault ipaSELinuxUserMapOrder"</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=24 RESULT err=0 tag=101 nentries=1 etime=0</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=25 SRCH base="cn=selinux,dc=embassy,dc=vfx" scope=2 filter="(&(objectClass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))" attrs="objectClass cn memberUser memberHost seeAlso ipaSELinuxUser ipaEnabledFlag userCategory hostCategory ipaUniqueID"</div> <div>[29/May/2014:10:42:08 -0700] conn=72 op=25 RESULT err=0 tag=101 nentries=0 etime=0 notes=P</div> <div>[29/May/2014:10:42:09 -0700] conn=72 op=26 SRCH base="cn=accounts,dc=embassy,dc=vfx" scope=2 filter="(&(cn=pulse-rt)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp entryusn"</div> <div>[29/May/2014:10:42:09 -0700] conn=72 op=26 RESULT err=0 tag=101 nentries=0 etime=1</div> <div>[29/May/2014:10:42:09 -0700] conn=72 op=27 SRCH base="cn=accounts,dc=embassy,dc=vfx" scope=2 filter="(&(gidNumber=16777729)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp entryusn"</div> <div>[29/May/2014:10:42:09 -0700] conn=72 op=27 RESULT err=0 tag=101 nentries=1 etime=0</div> <div>[29/May/2014:10:42:09 -0700] conn=72 op=28 SRCH base="cn=emb_users,cn=groups,cn=accounts,dc=embassy,dc=vfx" scope=0 filter="(objectClass=*)" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp entryusn uid"</div> <div>[29/May/2014:10:42:09 -0700] conn=72 op=28 RESULT err=0 tag=101 nentries=1 etime=0 notes=P</div> </div> <div><br> </div> <div><br> </div> <div>I can see that winbind is somehow involved but</div> <div>1) Both machines are disabled in AD</div> <div>2) The new user 'foo' is not in AD but can still log in</div> <div><br> </div> <div>I have tried copying over the pam.d folder from a working PC with no luck as well.</div> <div>The weird part is the migrated machine behaves "better" than the clean install.....</div> <div>Anything leap out? I can send more info if required.</div> <div><br> </div> </div> </div> </blockquote> <br> With david auth goes to IPA and fails somehow. Check Kerberos logs. That might have some hints. May be it is because the password needs to be changed for him after migration. Since you have winbind in the stack still it kicks in and tries. Authentication seems to work because it is just Kerberos but the authorization fails so user can't log in.<br> User foo was properly created so he can authenticate.<br> I suspect that migration was not properly completed. Please check documentation about migration.<br> <br> <br> <blockquote cite="mid:CAATq_wXaCR-hQ+B1EkVPGkhF8kKeD49vLfo_TjV87RPTQvp2wg@mail.gmail.com" type="cite"> <div dir="ltr"> <div style="font-family:arial,sans-serif;font-size:13px"> <div><br> </div> <div>Thanks</div> <div>Scott A</div> </div> <div><br> </div> -- <br> Scott Allen<br> Head of IT<br> The Embassy Visual Effects Inc.<br> 4th Floor - 177 W 7th Avenue<br> Vancouver, B.C.<br> V5Y 1L8<br> 604.696.6862 ext 241 </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </body> </html>