[Freeipa-users] Trusted AD Users login via gdm

Leah Zimmermann leah_zimmermann at web.de
Tue Jun 18 06:00:02 UTC 2013 

On 06/14/2013 09:08 AM, Sumit Bose wrote:
> On Thu, Jun 13, 2013 at 01:49:30PM +0200, Leah Zimmermann wrote:
>> Hello Sumit,
>> Hello List Members,
>>
>> Am 13.06.2013 09:18, schrieb Sumit Bose:
>>> On Wed, Jun 12, 2013 at 02:04:33PM +0200, Leah Zimmermann wrote:
>>>> Am 12.06.2013 12:03, schrieb Sumit Bose:
>>>>> On Wed, Jun 12, 2013 at 11:42:23AM +0200, Leah Zimmermann wrote:
>>>>>> Dear List Members,
>>>>>>
>>>>>> I have a FreeIPA-Domain on a CentOS 6.4 machine. It is in a trusted
>>>>>> relationship to an AD-Domain.
>>>>>> The users of the AD-Domain can login via ssh- or console-login. Then
>>>>>> they can start the gnome desktop manually. But if they login via gdm
>>>>>> they logged out immediatly.
>>>>> Which name style are you using 'AD_NETBIOS\username' or
>>>>> 'username at AD_DOMAIN' ? If you only tried one can you try the other?
>>>> until now I tried only 'username at AD_DOMAIN', but
>>>> 'AD_NETBIOS\username' does not work as well.
>>>>> If this does not help, please send the relevant section of
>>>>> /var/Log/secure and the sssd logs with a high debug level.
>>>>>
>>>>>
>>>> As far as I can see, both styles causing the same results.
>>>>
>>>> Jun 12 13:27:56 ipa_hostname pam: gdm-password:
>>>> pam_unix(gdm-password:auth): authentication failure; logname= uid=0
>>>> euid=0 tty=:0 ruser= rhost=  user=leah at AD_DOMAIN
>>>> Jun 12 13:27:57 ipa_hostname pam: gdm-password:
>>>> pam_sss(gdm-password:auth): authentication success; logname= uid=0
>>>> euid=0 tty=:0 ruser= rhost= user=leah at AD_DOMAIN
>>>> Jun 12 13:27:57 ipa_hostname pam: gdm-password:
>>>> pam_unix(gdm-password:session): session opened for user
>>>> leah at AD_DOMAIN by (uid=0)
>>>> Jun 12 13:27:57 ipa_hostname polkitd(authority=local): Unregistered
>>>> Authentication Agent for session
>>>> /org/freedesktop/ConsoleKit/Session25 (system bus name :1.265,
>>>> object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
>>>> de_DE.UTF-8) (disconnected from bus)
>>>> Jun 12 13:27:58 ipa_hostname pam: gdm-password:
>>>> pam_unix(gdm-password:session): session closed for user
>>>> leah at AD_DOMAIN
>>>> Jun 12 13:27:59 ipa_hostname polkitd(authority=local): Registered
>>>> Authentication Agent for session
>>>> /org/freedesktop/ConsoleKit/Session27 (system bus name :1.275
>>>> [/usr/libexec/polkit-gnome-authentication-agent-1], object path
>>>> /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)
>>>>
>>>>
>>>> Jun 12 13:32:56 ipa_hostname pam: gdm-password:
>>>> pam_unix(gdm-password:auth): authentication failure; logname= uid=0
>>>> euid=0 tty=:0 ruser= rhost=  user=AD_NETBIOS\leah
>>>> Jun 12 13:32:58 ipa_hostname pam: gdm-password:
>>>> pam_sss(gdm-password:auth): authentication success; logname= uid=0
>>>> euid=0 tty=:0 ruser= rhost= user=AD_NETBIOS\leah
>>>> Jun 12 13:32:58 ipa_hostname pam: gdm-password:
>>>> pam_unix(gdm-password:session): session opened for user
>>>> AD_NETBIOS\leah by (uid=0)
>>>> Jun 12 13:32:58 ipa_hostname polkitd(authority=local): Unregistered
>>>> Authentication Agent for session
>>>> /org/freedesktop/ConsoleKit/Session27 (system bus name :1.275,
>>>> object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
>>>> de_DE.UTF-8) (disconnected from bus)
>>>> Jun 12 13:32:58 ipa_hostname pam: gdm-password:
>>>> pam_unix(gdm-password:session): session closed for user
>>>> AD_NETBIOS\leah
>>>> Jun 12 13:32:59 ipa_hostname polkitd(authority=local): Registered
>>>> Authentication Agent for session
>>>> /org/freedesktop/ConsoleKit/Session29 (system bus name :1.285
>>>> [/usr/libexec/polkit-gnome-authentication-agent-1], object path
>>>> /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)
>>>>
>>>> May be the Unregistered Authentication Agent is the problem. But
>>>> what I have missed to do?
>>> Do you have SELinux enabled? Can you check if there any audit messages
>>> with DELinux denials? Can you check if the SELinux context of the users
>>> home directory is right?
>> SELinux is disabled by setting SELINUX=disabled in /etc/sysconfig/selinux.
>> I did that already, for eleminating this as the source of difficulties.
>> I'm sorry. May be, I should have mentioned this earlier.
>>
>> If I set it to permissive mode I get
>>
>> drwxr-xr-x. leah at ad_domain    leah at ad_domain
>> unconfined_u:object_r:user_home_t:s0 leah
>> drwxr-xr-x. user_xy at ad_domain user_xy at ad_domain
>> unconfined_u:object_r:user_home_t:s0 user_xy
>> ...
>>
>> All home directories of AD-Users looks like this.
> The labels look good. Since this issue seems to be happen during the
> open-session PAM step I'm quite confident that it is not related to
> FreeIPA or SSSD, because they do not handle open-session. Do the log
> files in /var/log/gdm contain any other information? Can you send your
> gdm-passwd PAM configuration file and all include ones (password-auth)
> to see if there is anything odd?

ok, here are the files. Hopefully I haven't missed shomething. I cut out 
only the lines, which are appearing as soon as i logged in. The complete 
logs are really huge.

###########
/etc/pam.d/gdm-password

auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth        substack      password-auth
auth        optional      pam_gnome_keyring.so

account     required      pam_nologin.so
account     include       password-auth

password    substack      password-auth
password    optional      pam_gnome_keyring.so

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     optional      pam_console.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     optional      pam_gnome_keyring.so auto_start
session     include       password-auth


###########
/etc/pam.d/password-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok 
try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so


###########
/var/log/Xorg.0.log:

[316000.576] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 1 connected 
from local host ( uid=0 gid=0 pid=20544 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.587] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 connected 
from local host ( uid=0 gid=0 pid=20550 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.592] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 disconnected
[316000.603] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 connected 
from local host ( uid=0 gid=0 pid=20552 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.630] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 disconnected
[316000.633] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 connected 
from local host ( uid=0 gid=0 pid=20555 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.633] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 disconnected
[316000.694] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 connected 
from local host ( uid=42 gid=42 pid=20561 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.709] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 3 connected 
from local host ( uid=42 gid=42 pid=20564 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.723] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 4 connected 
from local host ( uid=42 gid=42 pid=20566 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.868] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 6 connected 
from local host ( uid=42 gid=42 pid=20574 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.870] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 5 connected 
from local host ( uid=42 gid=42 pid=20571 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.963] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 7 connected 
from local host ( uid=42 gid=42 pid=20582 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.964] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 7 disconnected
[316001.035] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 7 connected 
from local host ( uid=42 gid=42 pid=20566 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.042] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 8 connected 
from local host ( uid=42 gid=42 pid=20574 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.048] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 9 connected 
from local host ( uid=42 gid=42 pid=20586 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.069] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 10 connected 
from local host ( uid=42 gid=42 pid=20586 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.113] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 11 connected 
from local host ( uid=42 gid=42 pid=20574 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.117] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 11 disconnected
[316001.184] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 12 connected 
from local host ( uid=42 gid=42 pid=20587 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.219] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 13 connected 
from local host ( uid=42 gid=42 pid=20588 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.226] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 14 connected 
from local host ( uid=42 gid=42 pid=20590 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.230] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 15 connected 
from local host ( uid=42 gid=42 pid=20591 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.240] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 16 connected 
from local host ( uid=42 gid=42 pid=20589 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.257] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 17 connected 
from local host ( uid=42 gid=42 pid=20587 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.285] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 18 connected 
from local host ( uid=42 gid=42 pid=20588 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.291] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 19 connected 
from local host ( uid=42 gid=42 pid=20591 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.296] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 20 connected 
from local host ( uid=42 gid=42 pid=20590 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.304] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 21 connected 
from local host ( uid=42 gid=42 pid=20589 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.359] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 22 connected 
from local host ( uid=42 gid=42 pid=20591 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.360] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 22 disconnected
[316001.378] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 19 disconnected
[316001.382] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 15 disconnected
[316001.423] AUDIT: Tue Jun 18 07:33:18 2013: 20546: client 17 disconnected
[316001.424] AUDIT: Tue Jun 18 07:33:18 2013: 20546: client 12 disconnected
[316001.432] AUDIT: Tue Jun 18 07:33:18 2013: 20546: client 12 connected 
from local host ( uid=42 gid=42 pid=20595 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.481] AUDIT: Tue Jun 18 07:33:18 2013: 20546: client 15 connected 
from local host ( uid=42 gid=42 pid=20595 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316031.299] AUDIT: Tue Jun 18 07:33:47 2013: 20546: client 15 disconnected
[316031.299] AUDIT: Tue Jun 18 07:33:47 2013: 20546: client 12 disconnected

###########
/var/log/gdm/\:0.log

AUDIT: Tue Jun 18 07:32:55 2013: 17438: client 11 connected from local 
host ( uid=0 gid=0 pid=17436 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 17 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 21 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 18 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 15 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 5 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 20 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 8 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 16 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 7 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 10 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 4 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 9 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 6 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 4 connected from local 
host ( uid=0 gid=0 pid=20521 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 4 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 connected from local 
host ( uid=907001104 gid=907001104 pid=20525 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 connected from local 
host ( uid=907001104 gid=907001104 pid=20526 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 connected from local 
host ( uid=907001104 gid=907001104 pid=20528 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 5 connected from local 
host ( uid=907001104 gid=907001104 pid=20531 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 6 connected from local 
host ( uid=907001104 gid=907001104 pid=20536 )
   Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 6 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 1 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 2 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 3 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 5 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 11 disconnected
(II) evdev: ImExPS/2 Generic Explorer Mouse: Close
(II) evdev: Macintosh mouse button emulation: Close
(II) evdev: Power Button: Close
(II) evdev: AT Translated Set 2 keyboard: Close
Server terminated successfully (0). Closing log file.


###########
/var/log/gdm/\:0-greeter.log:

Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message 
with a timestamp of 0 for 0x1c0002b (Login Wind)
Window manager warning: meta_window_activate called by a pager with a 0 
timestamp; the pager needs to be fixed.
Window manager warning: CurrentTime used to choose focus window; focus 
window may not be correct.
Window manager warning: Got a request to focus the no_focus_window with 
a timestamp of 0.  This shouldn't happen!


###########
/var/log/gdm/\:0-slave.log is empty

Thanks

Leah

More information about the Freeipa-users mailing list