[Freeipa-users] Trusted AD Users login via gdm

Sumit Bose sbose at redhat.com
Fri Jun 14 07:08:53 UTC 2013 

On Thu, Jun 13, 2013 at 01:49:30PM +0200, Leah Zimmermann wrote:
> Hello Sumit,
> Hello List Members,
> 
> Am 13.06.2013 09:18, schrieb Sumit Bose:
> >On Wed, Jun 12, 2013 at 02:04:33PM +0200, Leah Zimmermann wrote:
> >>Am 12.06.2013 12:03, schrieb Sumit Bose:
> >>>On Wed, Jun 12, 2013 at 11:42:23AM +0200, Leah Zimmermann wrote:
> >>>>Dear List Members,
> >>>>
> >>>>I have a FreeIPA-Domain on a CentOS 6.4 machine. It is in a trusted
> >>>>relationship to an AD-Domain.
> >>>>The users of the AD-Domain can login via ssh- or console-login. Then
> >>>>they can start the gnome desktop manually. But if they login via gdm
> >>>>they logged out immediatly.
> >>>Which name style are you using 'AD_NETBIOS\username' or
> >>>'username at AD_DOMAIN' ? If you only tried one can you try the other?
> >>until now I tried only 'username at AD_DOMAIN', but
> >>'AD_NETBIOS\username' does not work as well.
> >>>If this does not help, please send the relevant section of
> >>>/var/Log/secure and the sssd logs with a high debug level.
> >>>
> >>>
> >>As far as I can see, both styles causing the same results.
> >>
> >>Jun 12 13:27:56 ipa_hostname pam: gdm-password:
> >>pam_unix(gdm-password:auth): authentication failure; logname= uid=0
> >>euid=0 tty=:0 ruser= rhost=  user=leah at AD_DOMAIN
> >>Jun 12 13:27:57 ipa_hostname pam: gdm-password:
> >>pam_sss(gdm-password:auth): authentication success; logname= uid=0
> >>euid=0 tty=:0 ruser= rhost= user=leah at AD_DOMAIN
> >>Jun 12 13:27:57 ipa_hostname pam: gdm-password:
> >>pam_unix(gdm-password:session): session opened for user
> >>leah at AD_DOMAIN by (uid=0)
> >>Jun 12 13:27:57 ipa_hostname polkitd(authority=local): Unregistered
> >>Authentication Agent for session
> >>/org/freedesktop/ConsoleKit/Session25 (system bus name :1.265,
> >>object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
> >>de_DE.UTF-8) (disconnected from bus)
> >>Jun 12 13:27:58 ipa_hostname pam: gdm-password:
> >>pam_unix(gdm-password:session): session closed for user
> >>leah at AD_DOMAIN
> >>Jun 12 13:27:59 ipa_hostname polkitd(authority=local): Registered
> >>Authentication Agent for session
> >>/org/freedesktop/ConsoleKit/Session27 (system bus name :1.275
> >>[/usr/libexec/polkit-gnome-authentication-agent-1], object path
> >>/org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)
> >>
> >>
> >>Jun 12 13:32:56 ipa_hostname pam: gdm-password:
> >>pam_unix(gdm-password:auth): authentication failure; logname= uid=0
> >>euid=0 tty=:0 ruser= rhost=  user=AD_NETBIOS\leah
> >>Jun 12 13:32:58 ipa_hostname pam: gdm-password:
> >>pam_sss(gdm-password:auth): authentication success; logname= uid=0
> >>euid=0 tty=:0 ruser= rhost= user=AD_NETBIOS\leah
> >>Jun 12 13:32:58 ipa_hostname pam: gdm-password:
> >>pam_unix(gdm-password:session): session opened for user
> >>AD_NETBIOS\leah by (uid=0)
> >>Jun 12 13:32:58 ipa_hostname polkitd(authority=local): Unregistered
> >>Authentication Agent for session
> >>/org/freedesktop/ConsoleKit/Session27 (system bus name :1.275,
> >>object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
> >>de_DE.UTF-8) (disconnected from bus)
> >>Jun 12 13:32:58 ipa_hostname pam: gdm-password:
> >>pam_unix(gdm-password:session): session closed for user
> >>AD_NETBIOS\leah
> >>Jun 12 13:32:59 ipa_hostname polkitd(authority=local): Registered
> >>Authentication Agent for session
> >>/org/freedesktop/ConsoleKit/Session29 (system bus name :1.285
> >>[/usr/libexec/polkit-gnome-authentication-agent-1], object path
> >>/org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)
> >>
> >>May be the Unregistered Authentication Agent is the problem. But
> >>what I have missed to do?
> >Do you have SELinux enabled? Can you check if there any audit messages
> >with DELinux denials? Can you check if the SELinux context of the users
> >home directory is right?
> SELinux is disabled by setting SELINUX=disabled in /etc/sysconfig/selinux.
> I did that already, for eleminating this as the source of difficulties.
> I'm sorry. May be, I should have mentioned this earlier.
> 
> If I set it to permissive mode I get
> 
> drwxr-xr-x. leah at ad_domain    leah at ad_domain
> unconfined_u:object_r:user_home_t:s0 leah
> drwxr-xr-x. user_xy at ad_domain user_xy at ad_domain
> unconfined_u:object_r:user_home_t:s0 user_xy
> ...
> 
> All home directories of AD-Users looks like this.

The labels look good. Since this issue seems to be happen during the
open-session PAM step I'm quite confident that it is not related to
FreeIPA or SSSD, because they do not handle open-session. Do the log
files in /var/log/gdm contain any other information? Can you send your
gdm-passwd PAM configuration file and all include ones (password-auth)
to see if there is anything odd?

bye,
Sumit
> 
> Thanks
> 
> Leah
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list