[Freeipa-users] Trusted AD Users login via gdm
Sumit Bose
sbose at redhat.com
Wed Jun 19 13:01:19 UTC 2013
On Tue, Jun 18, 2013 at 08:00:02AM +0200, Leah Zimmermann wrote:
> On 06/14/2013 09:08 AM, Sumit Bose wrote:
> >On Thu, Jun 13, 2013 at 01:49:30PM +0200, Leah Zimmermann wrote:
> >>Hello Sumit,
> >>Hello List Members,
> >>
> >>Am 13.06.2013 09:18, schrieb Sumit Bose:
> >>>On Wed, Jun 12, 2013 at 02:04:33PM +0200, Leah Zimmermann wrote:
> >>>>Am 12.06.2013 12:03, schrieb Sumit Bose:
> >>>>>On Wed, Jun 12, 2013 at 11:42:23AM +0200, Leah Zimmermann wrote:
> >>>>>>Dear List Members,
> >>>>>>
> >>>>>>I have a FreeIPA-Domain on a CentOS 6.4 machine. It is in a trusted
> >>>>>>relationship to an AD-Domain.
> >>>>>>The users of the AD-Domain can login via ssh- or console-login. Then
> >>>>>>they can start the gnome desktop manually. But if they login via gdm
> >>>>>>they logged out immediatly.
> >>>>>Which name style are you using 'AD_NETBIOS\username' or
> >>>>>'username at AD_DOMAIN' ? If you only tried one can you try the other?
> >>>>until now I tried only 'username at AD_DOMAIN', but
> >>>>'AD_NETBIOS\username' does not work as well.
> >>>>>If this does not help, please send the relevant section of
> >>>>>/var/Log/secure and the sssd logs with a high debug level.
> >>>>>
> >>>>>
> >>>>As far as I can see, both styles causing the same results.
> >>>>
> >>>>Jun 12 13:27:56 ipa_hostname pam: gdm-password:
> >>>>pam_unix(gdm-password:auth): authentication failure; logname= uid=0
> >>>>euid=0 tty=:0 ruser= rhost= user=leah at AD_DOMAIN
> >>>>Jun 12 13:27:57 ipa_hostname pam: gdm-password:
> >>>>pam_sss(gdm-password:auth): authentication success; logname= uid=0
> >>>>euid=0 tty=:0 ruser= rhost= user=leah at AD_DOMAIN
> >>>>Jun 12 13:27:57 ipa_hostname pam: gdm-password:
> >>>>pam_unix(gdm-password:session): session opened for user
> >>>>leah at AD_DOMAIN by (uid=0)
> >>>>Jun 12 13:27:57 ipa_hostname polkitd(authority=local): Unregistered
> >>>>Authentication Agent for session
> >>>>/org/freedesktop/ConsoleKit/Session25 (system bus name :1.265,
> >>>>object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
> >>>>de_DE.UTF-8) (disconnected from bus)
> >>>>Jun 12 13:27:58 ipa_hostname pam: gdm-password:
> >>>>pam_unix(gdm-password:session): session closed for user
> >>>>leah at AD_DOMAIN
> >>>>Jun 12 13:27:59 ipa_hostname polkitd(authority=local): Registered
> >>>>Authentication Agent for session
> >>>>/org/freedesktop/ConsoleKit/Session27 (system bus name :1.275
> >>>>[/usr/libexec/polkit-gnome-authentication-agent-1], object path
> >>>>/org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)
> >>>>
> >>>>
> >>>>Jun 12 13:32:56 ipa_hostname pam: gdm-password:
> >>>>pam_unix(gdm-password:auth): authentication failure; logname= uid=0
> >>>>euid=0 tty=:0 ruser= rhost= user=AD_NETBIOS\leah
> >>>>Jun 12 13:32:58 ipa_hostname pam: gdm-password:
> >>>>pam_sss(gdm-password:auth): authentication success; logname= uid=0
> >>>>euid=0 tty=:0 ruser= rhost= user=AD_NETBIOS\leah
> >>>>Jun 12 13:32:58 ipa_hostname pam: gdm-password:
> >>>>pam_unix(gdm-password:session): session opened for user
> >>>>AD_NETBIOS\leah by (uid=0)
> >>>>Jun 12 13:32:58 ipa_hostname polkitd(authority=local): Unregistered
> >>>>Authentication Agent for session
> >>>>/org/freedesktop/ConsoleKit/Session27 (system bus name :1.275,
> >>>>object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
> >>>>de_DE.UTF-8) (disconnected from bus)
> >>>>Jun 12 13:32:58 ipa_hostname pam: gdm-password:
> >>>>pam_unix(gdm-password:session): session closed for user
> >>>>AD_NETBIOS\leah
> >>>>Jun 12 13:32:59 ipa_hostname polkitd(authority=local): Registered
> >>>>Authentication Agent for session
> >>>>/org/freedesktop/ConsoleKit/Session29 (system bus name :1.285
> >>>>[/usr/libexec/polkit-gnome-authentication-agent-1], object path
> >>>>/org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)
> >>>>
> >>>>May be the Unregistered Authentication Agent is the problem. But
> >>>>what I have missed to do?
> >>>Do you have SELinux enabled? Can you check if there any audit messages
> >>>with DELinux denials? Can you check if the SELinux context of the users
> >>>home directory is right?
> >>SELinux is disabled by setting SELINUX=disabled in /etc/sysconfig/selinux.
> >>I did that already, for eleminating this as the source of difficulties.
> >>I'm sorry. May be, I should have mentioned this earlier.
> >>
> >>If I set it to permissive mode I get
> >>
> >>drwxr-xr-x. leah at ad_domain leah at ad_domain
> >>unconfined_u:object_r:user_home_t:s0 leah
> >>drwxr-xr-x. user_xy at ad_domain user_xy at ad_domain
> >>unconfined_u:object_r:user_home_t:s0 user_xy
> >>...
> >>
> >>All home directories of AD-Users looks like this.
> >The labels look good. Since this issue seems to be happen during the
> >open-session PAM step I'm quite confident that it is not related to
> >FreeIPA or SSSD, because they do not handle open-session. Do the log
> >files in /var/log/gdm contain any other information? Can you send your
> >gdm-passwd PAM configuration file and all include ones (password-auth)
> >to see if there is anything odd?
>
> ok, here are the files. Hopefully I haven't missed shomething. I cut
> out only the lines, which are appearing as soon as i logged in. The
> complete logs are really huge.
>
The PAM config looks ok and I didn't found anything obvious in the
logs, maybe except the odd looking message in :0-greeter.log. But I
think they are not critical.
Have you tried if a gdm login with an IPA user is working on this
client?
bye,
Sumit
>
> ###########
> /var/log/gdm/\:0-greeter.log:
>
> Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW
> message with a timestamp of 0 for 0x1c0002b (Login Wind)
> Window manager warning: meta_window_activate called by a pager with
> a 0 timestamp; the pager needs to be fixed.
> Window manager warning: CurrentTime used to choose focus window;
> focus window may not be correct.
> Window manager warning: Got a request to focus the no_focus_window
> with a timestamp of 0. This shouldn't happen!
>
>
> ###########
> /var/log/gdm/\:0-slave.log is empty
>
> Thanks
>
> Leah
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list