[Freeipa-users] Trusted AD Users login via gdm

Sumit Bose sbose at redhat.com
Fri Jun 21 07:12:13 UTC 2013 

On Thu, Jun 20, 2013 at 04:04:06PM +0200, Leah Zimmermann wrote:
> On 06/19/2013 03:01 PM, Sumit Bose wrote:
> >On Tue, Jun 18, 2013 at 08:00:02AM +0200, Leah Zimmermann wrote:
> >>On 06/14/2013 09:08 AM, Sumit Bose wrote:
> >>>On Thu, Jun 13, 2013 at 01:49:30PM +0200, Leah Zimmermann wrote:
> >>>>Hello Sumit,
> >>>>Hello List Members,
> >>>>
> >>>>Am 13.06.2013 09:18, schrieb Sumit Bose:
> >>>>>On Wed, Jun 12, 2013 at 02:04:33PM +0200, Leah Zimmermann wrote:
> >>>>>>Am 12.06.2013 12:03, schrieb Sumit Bose:
> >>>>>>>On Wed, Jun 12, 2013 at 11:42:23AM +0200, Leah Zimmermann wrote:
> >>>>>>>>Dear List Members,
> >>>>>>>>
> >>>>>>>>I have a FreeIPA-Domain on a CentOS 6.4 machine. It is in a trusted
> >>>>>>>>relationship to an AD-Domain.
> >>>>>>>>The users of the AD-Domain can login via ssh- or console-login. Then
> >>>>>>>>they can start the gnome desktop manually. But if they login via gdm
> >>>>>>>>they logged out immediatly.
> >>>>>>>Which name style are you using 'AD_NETBIOS\username' or
> >>>>>>>'username at AD_DOMAIN' ? If you only tried one can you try the other?
> >>>>>>until now I tried only 'username at AD_DOMAIN', but
> >>>>>>'AD_NETBIOS\username' does not work as well.
> >>>>>>>If this does not help, please send the relevant section of
> >>>>>>>/var/Log/secure and the sssd logs with a high debug level.
> >>>>>>>
> >>>>>>>
> >>>>>>As far as I can see, both styles causing the same results.
> >>>>>>
> >>>>>>Jun 12 13:27:56 ipa_hostname pam: gdm-password:
> >>>>>>pam_unix(gdm-password:auth): authentication failure; logname= uid=0
> >>>>>>euid=0 tty=:0 ruser= rhost=  user=leah at AD_DOMAIN
> >>>>>>Jun 12 13:27:57 ipa_hostname pam: gdm-password:
> >>>>>>pam_sss(gdm-password:auth): authentication success; logname= uid=0
> >>>>>>euid=0 tty=:0 ruser= rhost= user=leah at AD_DOMAIN
> >>>>>>Jun 12 13:27:57 ipa_hostname pam: gdm-password:
> >>>>>>pam_unix(gdm-password:session): session opened for user
> >>>>>>leah at AD_DOMAIN by (uid=0)
> >>>>>>Jun 12 13:27:57 ipa_hostname polkitd(authority=local): Unregistered
> >>>>>>Authentication Agent for session
> >>>>>>/org/freedesktop/ConsoleKit/Session25 (system bus name :1.265,
> >>>>>>object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
> >>>>>>de_DE.UTF-8) (disconnected from bus)
> >>>>>>Jun 12 13:27:58 ipa_hostname pam: gdm-password:
> >>>>>>pam_unix(gdm-password:session): session closed for user
> >>>>>>leah at AD_DOMAIN
> >>>>>>Jun 12 13:27:59 ipa_hostname polkitd(authority=local): Registered
> >>>>>>Authentication Agent for session
> >>>>>>/org/freedesktop/ConsoleKit/Session27 (system bus name :1.275
> >>>>>>[/usr/libexec/polkit-gnome-authentication-agent-1], object path
> >>>>>>/org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)
> >>>>>>
> >>>>>>
> >>>>>>Jun 12 13:32:56 ipa_hostname pam: gdm-password:
> >>>>>>pam_unix(gdm-password:auth): authentication failure; logname= uid=0
> >>>>>>euid=0 tty=:0 ruser= rhost=  user=AD_NETBIOS\leah
> >>>>>>Jun 12 13:32:58 ipa_hostname pam: gdm-password:
> >>>>>>pam_sss(gdm-password:auth): authentication success; logname= uid=0
> >>>>>>euid=0 tty=:0 ruser= rhost= user=AD_NETBIOS\leah
> >>>>>>Jun 12 13:32:58 ipa_hostname pam: gdm-password:
> >>>>>>pam_unix(gdm-password:session): session opened for user
> >>>>>>AD_NETBIOS\leah by (uid=0)
> >>>>>>Jun 12 13:32:58 ipa_hostname polkitd(authority=local): Unregistered
> >>>>>>Authentication Agent for session
> >>>>>>/org/freedesktop/ConsoleKit/Session27 (system bus name :1.275,
> >>>>>>object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
> >>>>>>de_DE.UTF-8) (disconnected from bus)
> >>>>>>Jun 12 13:32:58 ipa_hostname pam: gdm-password:
> >>>>>>pam_unix(gdm-password:session): session closed for user
> >>>>>>AD_NETBIOS\leah
> >>>>>>Jun 12 13:32:59 ipa_hostname polkitd(authority=local): Registered
> >>>>>>Authentication Agent for session
> >>>>>>/org/freedesktop/ConsoleKit/Session29 (system bus name :1.285
> >>>>>>[/usr/libexec/polkit-gnome-authentication-agent-1], object path
> >>>>>>/org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)
> >>>>>>
> >>>>>>May be the Unregistered Authentication Agent is the problem. But
> >>>>>>what I have missed to do?
> >>>>>Do you have SELinux enabled? Can you check if there any audit messages
> >>>>>with DELinux denials? Can you check if the SELinux context of the users
> >>>>>home directory is right?
> >>>>SELinux is disabled by setting SELINUX=disabled in /etc/sysconfig/selinux.
> >>>>I did that already, for eleminating this as the source of difficulties.
> >>>>I'm sorry. May be, I should have mentioned this earlier.
> >>>>
> >>>>If I set it to permissive mode I get
> >>>>
> >>>>drwxr-xr-x. leah at ad_domain    leah at ad_domain
> >>>>unconfined_u:object_r:user_home_t:s0 leah
> >>>>drwxr-xr-x. user_xy at ad_domain user_xy at ad_domain
> >>>>unconfined_u:object_r:user_home_t:s0 user_xy
> >>>>...
> >>>>
> >>>>All home directories of AD-Users looks like this.
> >>>The labels look good. Since this issue seems to be happen during the
> >>>open-session PAM step I'm quite confident that it is not related to
> >>>FreeIPA or SSSD, because they do not handle open-session. Do the log
> >>>files in /var/log/gdm contain any other information? Can you send your
> >>>gdm-passwd PAM configuration file and all include ones (password-auth)
> >>>to see if there is anything odd?
> >>ok, here are the files. Hopefully I haven't missed shomething. I cut
> >>out only the lines, which are appearing as soon as i logged in. The
> >>complete logs are really huge.
> >>
> >The PAM config looks ok and I didn't found anything obvious in the
> >logs, maybe except the odd looking message in :0-greeter.log. But I
> >think they are not critical.
> >
> >Have you tried if a gdm login with an IPA user is working on this
> >client?
> Yes. IPA users are not facing any problems to login via gdm.
> Login on text console and via ssh works for all users.
> After logged in via text console, even AD users can start X server,
> manually.
> But thats not really an option for us, because many users work on a
> terminal via XDMCP.

I've tried to reproduce it locally, but so far I didn't succeed. Can you
send the version numbers of the gdm, sssd, and ipa packages you are
using? Additionally if owuld be helpful if you can send the full sssd
logs (everything in /var/log/sssd/) with a debug level of 10 or 0xFFF0
while you try to log in with gdm.

bye,
Sumit
> 
> Thanks
> 
> Leah
> 
> 
> >bye,
> >Sumit
> >
> >>###########
> >>/var/log/gdm/\:0-greeter.log:
> >>
> >>Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW
> >>message with a timestamp of 0 for 0x1c0002b (Login Wind)
> >>Window manager warning: meta_window_activate called by a pager with
> >>a 0 timestamp; the pager needs to be fixed.
> >>Window manager warning: CurrentTime used to choose focus window;
> >>focus window may not be correct.
> >>Window manager warning: Got a request to focus the no_focus_window
> >>with a timestamp of 0.  This shouldn't happen!
> >>
> >>
> >>###########
> >>/var/log/gdm/\:0-slave.log is empty
> >>
> >>Thanks
> >>
> >>Leah
> >>
> >>_______________________________________________
> >>Freeipa-users mailing list
> >>Freeipa-users at redhat.com
> >>https://www.redhat.com/mailman/listinfo/freeipa-users
> >_______________________________________________
> >Freeipa-users mailing list
> >Freeipa-users at redhat.com
> >https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list