[Freeipa-users] i inetgrated ipa server with AD but users AD can not loggin on server linux?

alireza baghery baghery.jone at gmail.com
Wed Aug 20 11:45:14 UTC 2014 

 hi
    Having a particularly weird problem. We have moved from AD(windows 2008
R2)
    to ipa server(centos 6.5). and i integrated ipa with AD
    machine linux joined with ipa and machine windowse joined with AD.
    users AD  can loggin in cli mode in system linux (centos 6.5)
    but can not in GUI mod loggin
    error message in file /var/log/security
----------------------------------------------------------------------------------
    pam: gdm-password[2685]: pam_unix(gdm-password:auth):
    authentication failure: logname= uid=0 euid=0 tty=:0 ruser= rhost=
    rhost= user=sallea at AD
    pam: gdm-password[2685]: pam_sss(gdm-password:auth):
    user info message: your password will expire in 40 day
    pam: gdm-password[2685]:pam_sss(
gdm-password:auth):
    authenticate success:  logname= uid=0 euid=0 tty=:0 ruser= rhost=
    rhost= user=sallea at AD
    pam: gdm-password[2685]:pam_unix (gdm-password:session):
    session opened for user sallea at AD by (uid=0)
    polkitd(authority=local): Unregistered Authentication
    Agent for session /org/freedesktop/ConsoleKit/Session4 (system bus
    name :1.116 , object path /org/gnome/PolcyKit1/AuthenticationAgent,

- Ignored:
    local en_US) (disconnected from bus)

    pam: gdm-password[2685]: pam_unix (gdm-password:session):
    session closed for user sallea at AD
    ------------------------------------------------------

    and context file /etc/pam.d/password-auth
    -----------------------------------
    auth        required      pam_env.so
    auth        sufficient    pam_unix.so nullok try_first_pass
    auth        requisite     pam_succeed_if.so uid >= 500 quiet
    auth        sufficient    pam_sss.so use_first_pass
    auth        required      pam_deny.so

    account     required      pam_unix.so
    account     sufficient    pam_localuser.so
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     [default=bad success=ok user_unknown=ignore] pam_sss.so
    account     required      pam_permit.so

    password    requisite     pam_cracklib.so try_first_pass retry=3 type=
    password    sufficient    pam_unix.so sha512 shadow nullok
    try_first_pass use_authtok
    password    sufficient    pam_sss.so use_authtok
    password    required      pam_deny.so

    session     optional      pam_keyinit.so revoke
    session     required      pam_limits.so
    session     [success=1 default=ignore] pam_succeed_if.so service in
    crond quiet use_uid
    session     required      pam_unix.so

    session     require       pam_sss.so
    --------------------------------------
    how to solve this problem?
    thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140820/c4da80c2/attachment.htm>

More information about the Freeipa-users mailing list