<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 08/20/2014 04:29 PM, alireza baghery
wrote:<br>
</div>
<blockquote
cite="mid:CAPyvVhyTtV5=Eva_Ph_V5Pb5W-C0pJGAz3F9GT2ODVwBA9=VEg@mail.gmail.com"
type="cite">
<div dir="ltr"><span
style="font-family:arial,sans-serif;font-size:13px">yes right.
ipa trust relation with AD and subdomain AD. yes gde produce
log</span><br>
</div>
</blockquote>
<br>
It seems that you have some custom polkit policy that fails to load.
Did you play with some polkit policies?<br>
<br>
<blockquote
cite="mid:CAPyvVhyTtV5=Eva_Ph_V5Pb5W-C0pJGAz3F9GT2ODVwBA9=VEg@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">
On Wed, Aug 20, 2014 at 5:27 PM, Dmitri Pal <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="">
<div>On 08/20/2014 01:45 PM, alireza baghery wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"> hi<br>
Having a particularly weird problem. We have
moved from AD(windows 2008 R2)<br>
to ipa server(centos 6.5). and i integrated ipa
with AD<br>
machine linux joined with ipa and machine
windowse joined with AD.<br>
users AD can loggin in cli mode in system linux
(centos 6.5)<br>
but can not in GUI mod loggin<br>
</div>
</blockquote>
<br>
<br>
</div>
Do I get it right:<br>
<br>
User from AD walks to a desktop console of the Linux
system joined into IPA that is in trust relations with AD
and the GDE produces the following log?
<div>
<div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr"> error message in file
/var/log/security<br>
----------------------------------------------------------------------------------<br>
pam: gdm-password[2685]:
pam_unix(gdm-password:auth):<br>
authentication failure: logname= uid=0 euid=0
tty=:0 ruser= rhost=<br>
rhost= user=sallea@AD<br>
pam: gdm-password[2685]:
pam_sss(gdm-password:auth):<br>
user info message: your password will expire
in 40 day<br>
pam: gdm-password[2685]:pam_sss(
<div>gdm-password:auth):<br>
authenticate success: logname= uid=0 euid=0
tty=:0 ruser= rhost=<br>
rhost= user=sallea@AD<br>
pam: gdm-password[2685]:pam_unix
(gdm-password:session):<br>
session opened for user sallea@AD by (uid=0)<br>
polkitd(authority=local): Unregistered
Authentication<br>
Agent for session
/org/freedesktop/ConsoleKit/Session4 (system bus<br>
name :1.116 , object path
/org/gnome/PolcyKit1/AuthenticationAgent,<br>
<br>
- Ignored:<br>
local en_US) (disconnected from bus)<br>
<br>
pam: gdm-password[2685]: pam_unix
(gdm-password:session):<br>
session closed for user sallea@AD<br>
------------------------------------------------------<br>
<br>
and context file /etc/pam.d/password-auth<br>
-----------------------------------<br>
auth required pam_env.so<br>
auth sufficient pam_unix.so nullok
try_first_pass<br>
auth requisite pam_succeed_if.so
uid >= 500 quiet<br>
auth sufficient pam_sss.so
use_first_pass<br>
auth required pam_deny.so<br>
<br>
account required pam_unix.so<br>
account sufficient pam_localuser.so<br>
account sufficient pam_succeed_if.so
uid < 500 quiet<br>
account [default=bad success=ok
user_unknown=ignore] pam_sss.so<br>
account required pam_permit.so<br>
<br>
password requisite pam_cracklib.so
try_first_pass retry=3 type=<br>
password sufficient pam_unix.so sha512
shadow nullok<br>
try_first_pass use_authtok<br>
password sufficient pam_sss.so
use_authtok<br>
password required pam_deny.so<br>
<br>
session optional pam_keyinit.so
revoke<br>
session required pam_limits.so<br>
session [success=1 default=ignore]
pam_succeed_if.so service in<br>
crond quiet use_uid<br>
session required pam_unix.so<br>
<br>
session require pam_sss.so<br>
--------------------------------------<br>
how to solve this problem?<br>
thanks</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div>
</div>
<span class="HOEnZb"><font color="#888888">
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</font></span></div>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true" href="http://freeipa.org"
target="_blank">http://freeipa.org</a> for more info on
the project<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>