[Freeipa-users] Trusted AD Users login via gdm

Leah Zimmermann leah_zimmermann at web.de
Thu Jun 13 11:49:30 UTC 2013 

Hello Sumit,
Hello List Members,

Am 13.06.2013 09:18, schrieb Sumit Bose:
> On Wed, Jun 12, 2013 at 02:04:33PM +0200, Leah Zimmermann wrote:
>> Am 12.06.2013 12:03, schrieb Sumit Bose:
>>> On Wed, Jun 12, 2013 at 11:42:23AM +0200, Leah Zimmermann wrote:
>>>> Dear List Members,
>>>>
>>>> I have a FreeIPA-Domain on a CentOS 6.4 machine. It is in a trusted
>>>> relationship to an AD-Domain.
>>>> The users of the AD-Domain can login via ssh- or console-login. Then
>>>> they can start the gnome desktop manually. But if they login via gdm
>>>> they logged out immediatly.
>>> Which name style are you using 'AD_NETBIOS\username' or
>>> 'username at AD_DOMAIN' ? If you only tried one can you try the other?
>> until now I tried only 'username at AD_DOMAIN', but
>> 'AD_NETBIOS\username' does not work as well.
>>> If this does not help, please send the relevant section of
>>> /var/Log/secure and the sssd logs with a high debug level.
>>>
>>>
>> As far as I can see, both styles causing the same results.
>>
>> Jun 12 13:27:56 ipa_hostname pam: gdm-password:
>> pam_unix(gdm-password:auth): authentication failure; logname= uid=0
>> euid=0 tty=:0 ruser= rhost=  user=leah at AD_DOMAIN
>> Jun 12 13:27:57 ipa_hostname pam: gdm-password:
>> pam_sss(gdm-password:auth): authentication success; logname= uid=0
>> euid=0 tty=:0 ruser= rhost= user=leah at AD_DOMAIN
>> Jun 12 13:27:57 ipa_hostname pam: gdm-password:
>> pam_unix(gdm-password:session): session opened for user
>> leah at AD_DOMAIN by (uid=0)
>> Jun 12 13:27:57 ipa_hostname polkitd(authority=local): Unregistered
>> Authentication Agent for session
>> /org/freedesktop/ConsoleKit/Session25 (system bus name :1.265,
>> object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
>> de_DE.UTF-8) (disconnected from bus)
>> Jun 12 13:27:58 ipa_hostname pam: gdm-password:
>> pam_unix(gdm-password:session): session closed for user
>> leah at AD_DOMAIN
>> Jun 12 13:27:59 ipa_hostname polkitd(authority=local): Registered
>> Authentication Agent for session
>> /org/freedesktop/ConsoleKit/Session27 (system bus name :1.275
>> [/usr/libexec/polkit-gnome-authentication-agent-1], object path
>> /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)
>>
>>
>> Jun 12 13:32:56 ipa_hostname pam: gdm-password:
>> pam_unix(gdm-password:auth): authentication failure; logname= uid=0
>> euid=0 tty=:0 ruser= rhost=  user=AD_NETBIOS\leah
>> Jun 12 13:32:58 ipa_hostname pam: gdm-password:
>> pam_sss(gdm-password:auth): authentication success; logname= uid=0
>> euid=0 tty=:0 ruser= rhost= user=AD_NETBIOS\leah
>> Jun 12 13:32:58 ipa_hostname pam: gdm-password:
>> pam_unix(gdm-password:session): session opened for user
>> AD_NETBIOS\leah by (uid=0)
>> Jun 12 13:32:58 ipa_hostname polkitd(authority=local): Unregistered
>> Authentication Agent for session
>> /org/freedesktop/ConsoleKit/Session27 (system bus name :1.275,
>> object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
>> de_DE.UTF-8) (disconnected from bus)
>> Jun 12 13:32:58 ipa_hostname pam: gdm-password:
>> pam_unix(gdm-password:session): session closed for user
>> AD_NETBIOS\leah
>> Jun 12 13:32:59 ipa_hostname polkitd(authority=local): Registered
>> Authentication Agent for session
>> /org/freedesktop/ConsoleKit/Session29 (system bus name :1.285
>> [/usr/libexec/polkit-gnome-authentication-agent-1], object path
>> /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)
>>
>> May be the Unregistered Authentication Agent is the problem. But
>> what I have missed to do?
> Do you have SELinux enabled? Can you check if there any audit messages
> with DELinux denials? Can you check if the SELinux context of the users
> home directory is right?
SELinux is disabled by setting SELINUX=disabled in /etc/sysconfig/selinux.
I did that already, for eleminating this as the source of difficulties.
I'm sorry. May be, I should have mentioned this earlier.

If I set it to permissive mode I get

drwxr-xr-x. leah at ad_domain    leah at ad_domain 
unconfined_u:object_r:user_home_t:s0 leah
drwxr-xr-x. user_xy at ad_domain user_xy at ad_domain 
unconfined_u:object_r:user_home_t:s0 user_xy
...

All home directories of AD-Users looks like this.

Thanks

Leah

More information about the Freeipa-users mailing list