[Freeipa-users] Trusted AD Users login via gdm
Leah Zimmermann
leah_zimmermann at web.de
Tue Jun 18 06:00:02 UTC 2013
On 06/14/2013 09:08 AM, Sumit Bose wrote:
> On Thu, Jun 13, 2013 at 01:49:30PM +0200, Leah Zimmermann wrote:
>> Hello Sumit,
>> Hello List Members,
>>
>> Am 13.06.2013 09:18, schrieb Sumit Bose:
>>> On Wed, Jun 12, 2013 at 02:04:33PM +0200, Leah Zimmermann wrote:
>>>> Am 12.06.2013 12:03, schrieb Sumit Bose:
>>>>> On Wed, Jun 12, 2013 at 11:42:23AM +0200, Leah Zimmermann wrote:
>>>>>> Dear List Members,
>>>>>>
>>>>>> I have a FreeIPA-Domain on a CentOS 6.4 machine. It is in a trusted
>>>>>> relationship to an AD-Domain.
>>>>>> The users of the AD-Domain can login via ssh- or console-login. Then
>>>>>> they can start the gnome desktop manually. But if they login via gdm
>>>>>> they logged out immediatly.
>>>>> Which name style are you using 'AD_NETBIOS\username' or
>>>>> 'username at AD_DOMAIN' ? If you only tried one can you try the other?
>>>> until now I tried only 'username at AD_DOMAIN', but
>>>> 'AD_NETBIOS\username' does not work as well.
>>>>> If this does not help, please send the relevant section of
>>>>> /var/Log/secure and the sssd logs with a high debug level.
>>>>>
>>>>>
>>>> As far as I can see, both styles causing the same results.
>>>>
>>>> Jun 12 13:27:56 ipa_hostname pam: gdm-password:
>>>> pam_unix(gdm-password:auth): authentication failure; logname= uid=0
>>>> euid=0 tty=:0 ruser= rhost= user=leah at AD_DOMAIN
>>>> Jun 12 13:27:57 ipa_hostname pam: gdm-password:
>>>> pam_sss(gdm-password:auth): authentication success; logname= uid=0
>>>> euid=0 tty=:0 ruser= rhost= user=leah at AD_DOMAIN
>>>> Jun 12 13:27:57 ipa_hostname pam: gdm-password:
>>>> pam_unix(gdm-password:session): session opened for user
>>>> leah at AD_DOMAIN by (uid=0)
>>>> Jun 12 13:27:57 ipa_hostname polkitd(authority=local): Unregistered
>>>> Authentication Agent for session
>>>> /org/freedesktop/ConsoleKit/Session25 (system bus name :1.265,
>>>> object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
>>>> de_DE.UTF-8) (disconnected from bus)
>>>> Jun 12 13:27:58 ipa_hostname pam: gdm-password:
>>>> pam_unix(gdm-password:session): session closed for user
>>>> leah at AD_DOMAIN
>>>> Jun 12 13:27:59 ipa_hostname polkitd(authority=local): Registered
>>>> Authentication Agent for session
>>>> /org/freedesktop/ConsoleKit/Session27 (system bus name :1.275
>>>> [/usr/libexec/polkit-gnome-authentication-agent-1], object path
>>>> /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)
>>>>
>>>>
>>>> Jun 12 13:32:56 ipa_hostname pam: gdm-password:
>>>> pam_unix(gdm-password:auth): authentication failure; logname= uid=0
>>>> euid=0 tty=:0 ruser= rhost= user=AD_NETBIOS\leah
>>>> Jun 12 13:32:58 ipa_hostname pam: gdm-password:
>>>> pam_sss(gdm-password:auth): authentication success; logname= uid=0
>>>> euid=0 tty=:0 ruser= rhost= user=AD_NETBIOS\leah
>>>> Jun 12 13:32:58 ipa_hostname pam: gdm-password:
>>>> pam_unix(gdm-password:session): session opened for user
>>>> AD_NETBIOS\leah by (uid=0)
>>>> Jun 12 13:32:58 ipa_hostname polkitd(authority=local): Unregistered
>>>> Authentication Agent for session
>>>> /org/freedesktop/ConsoleKit/Session27 (system bus name :1.275,
>>>> object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
>>>> de_DE.UTF-8) (disconnected from bus)
>>>> Jun 12 13:32:58 ipa_hostname pam: gdm-password:
>>>> pam_unix(gdm-password:session): session closed for user
>>>> AD_NETBIOS\leah
>>>> Jun 12 13:32:59 ipa_hostname polkitd(authority=local): Registered
>>>> Authentication Agent for session
>>>> /org/freedesktop/ConsoleKit/Session29 (system bus name :1.285
>>>> [/usr/libexec/polkit-gnome-authentication-agent-1], object path
>>>> /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)
>>>>
>>>> May be the Unregistered Authentication Agent is the problem. But
>>>> what I have missed to do?
>>> Do you have SELinux enabled? Can you check if there any audit messages
>>> with DELinux denials? Can you check if the SELinux context of the users
>>> home directory is right?
>> SELinux is disabled by setting SELINUX=disabled in /etc/sysconfig/selinux.
>> I did that already, for eleminating this as the source of difficulties.
>> I'm sorry. May be, I should have mentioned this earlier.
>>
>> If I set it to permissive mode I get
>>
>> drwxr-xr-x. leah at ad_domain leah at ad_domain
>> unconfined_u:object_r:user_home_t:s0 leah
>> drwxr-xr-x. user_xy at ad_domain user_xy at ad_domain
>> unconfined_u:object_r:user_home_t:s0 user_xy
>> ...
>>
>> All home directories of AD-Users looks like this.
> The labels look good. Since this issue seems to be happen during the
> open-session PAM step I'm quite confident that it is not related to
> FreeIPA or SSSD, because they do not handle open-session. Do the log
> files in /var/log/gdm contain any other information? Can you send your
> gdm-passwd PAM configuration file and all include ones (password-auth)
> to see if there is anything odd?
ok, here are the files. Hopefully I haven't missed shomething. I cut out
only the lines, which are appearing as soon as i logged in. The complete
logs are really huge.
###########
/etc/pam.d/gdm-password
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth substack password-auth
auth optional pam_gnome_keyring.so
account required pam_nologin.so
account include password-auth
password substack password-auth
password optional pam_gnome_keyring.so
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start
session include password-auth
###########
/etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
###########
/var/log/Xorg.0.log:
[316000.576] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 1 connected
from local host ( uid=0 gid=0 pid=20544 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.587] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 connected
from local host ( uid=0 gid=0 pid=20550 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.592] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 disconnected
[316000.603] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 connected
from local host ( uid=0 gid=0 pid=20552 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.630] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 disconnected
[316000.633] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 connected
from local host ( uid=0 gid=0 pid=20555 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.633] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 disconnected
[316000.694] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 connected
from local host ( uid=42 gid=42 pid=20561 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.709] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 3 connected
from local host ( uid=42 gid=42 pid=20564 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.723] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 4 connected
from local host ( uid=42 gid=42 pid=20566 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.868] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 6 connected
from local host ( uid=42 gid=42 pid=20574 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.870] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 5 connected
from local host ( uid=42 gid=42 pid=20571 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.963] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 7 connected
from local host ( uid=42 gid=42 pid=20582 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.964] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 7 disconnected
[316001.035] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 7 connected
from local host ( uid=42 gid=42 pid=20566 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.042] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 8 connected
from local host ( uid=42 gid=42 pid=20574 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.048] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 9 connected
from local host ( uid=42 gid=42 pid=20586 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.069] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 10 connected
from local host ( uid=42 gid=42 pid=20586 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.113] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 11 connected
from local host ( uid=42 gid=42 pid=20574 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.117] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 11 disconnected
[316001.184] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 12 connected
from local host ( uid=42 gid=42 pid=20587 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.219] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 13 connected
from local host ( uid=42 gid=42 pid=20588 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.226] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 14 connected
from local host ( uid=42 gid=42 pid=20590 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.230] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 15 connected
from local host ( uid=42 gid=42 pid=20591 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.240] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 16 connected
from local host ( uid=42 gid=42 pid=20589 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.257] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 17 connected
from local host ( uid=42 gid=42 pid=20587 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.285] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 18 connected
from local host ( uid=42 gid=42 pid=20588 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.291] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 19 connected
from local host ( uid=42 gid=42 pid=20591 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.296] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 20 connected
from local host ( uid=42 gid=42 pid=20590 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.304] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 21 connected
from local host ( uid=42 gid=42 pid=20589 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.359] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 22 connected
from local host ( uid=42 gid=42 pid=20591 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.360] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 22 disconnected
[316001.378] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 19 disconnected
[316001.382] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 15 disconnected
[316001.423] AUDIT: Tue Jun 18 07:33:18 2013: 20546: client 17 disconnected
[316001.424] AUDIT: Tue Jun 18 07:33:18 2013: 20546: client 12 disconnected
[316001.432] AUDIT: Tue Jun 18 07:33:18 2013: 20546: client 12 connected
from local host ( uid=42 gid=42 pid=20595 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.481] AUDIT: Tue Jun 18 07:33:18 2013: 20546: client 15 connected
from local host ( uid=42 gid=42 pid=20595 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316031.299] AUDIT: Tue Jun 18 07:33:47 2013: 20546: client 15 disconnected
[316031.299] AUDIT: Tue Jun 18 07:33:47 2013: 20546: client 12 disconnected
###########
/var/log/gdm/\:0.log
AUDIT: Tue Jun 18 07:32:55 2013: 17438: client 11 connected from local
host ( uid=0 gid=0 pid=17436 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 17 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 21 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 18 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 15 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 5 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 20 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 8 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 16 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 7 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 10 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 4 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 9 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 6 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 4 connected from local
host ( uid=0 gid=0 pid=20521 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 4 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 connected from local
host ( uid=907001104 gid=907001104 pid=20525 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 connected from local
host ( uid=907001104 gid=907001104 pid=20526 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 connected from local
host ( uid=907001104 gid=907001104 pid=20528 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 5 connected from local
host ( uid=907001104 gid=907001104 pid=20531 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 6 connected from local
host ( uid=907001104 gid=907001104 pid=20536 )
Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 6 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 1 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 2 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 3 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 5 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 11 disconnected
(II) evdev: ImExPS/2 Generic Explorer Mouse: Close
(II) evdev: Macintosh mouse button emulation: Close
(II) evdev: Power Button: Close
(II) evdev: AT Translated Set 2 keyboard: Close
Server terminated successfully (0). Closing log file.
###########
/var/log/gdm/\:0-greeter.log:
Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message
with a timestamp of 0 for 0x1c0002b (Login Wind)
Window manager warning: meta_window_activate called by a pager with a 0
timestamp; the pager needs to be fixed.
Window manager warning: CurrentTime used to choose focus window; focus
window may not be correct.
Window manager warning: Got a request to focus the no_focus_window with
a timestamp of 0. This shouldn't happen!
###########
/var/log/gdm/\:0-slave.log is empty
Thanks
Leah
More information about the Freeipa-users
mailing list