[Freeipa-users] i inetgrated ipa server with AD but users AD can not loggin on server linux?

Dmitri Pal dpal at redhat.com
Wed Aug 20 12:57:40 UTC 2014 

On 08/20/2014 01:45 PM, alireza baghery wrote:
> hi
>     Having a particularly weird problem. We have moved from AD(windows 
> 2008 R2)
>     to ipa server(centos 6.5). and i integrated ipa with AD
>     machine linux joined with ipa and machine windowse joined with AD.
>     users AD  can loggin in cli mode in system linux (centos 6.5)
>     but can not in GUI mod loggin


Do I get it right:

User from AD walks to a desktop console of the Linux system joined into 
IPA that is in trust relations with AD and the GDE produces the 
following log?

>     error message in file /var/log/security
> ----------------------------------------------------------------------------------
>     pam: gdm-password[2685]: pam_unix(gdm-password:auth):
>     authentication failure: logname= uid=0 euid=0 tty=:0 ruser= rhost=
>     rhost= user=sallea at AD
>     pam: gdm-password[2685]: pam_sss(gdm-password:auth):
>     user info message: your password will expire in 40 day
>     pam: gdm-password[2685]:pam_sss(
> gdm-password:auth):
>     authenticate success:  logname= uid=0 euid=0 tty=:0 ruser= rhost=
>     rhost= user=sallea at AD
>     pam: gdm-password[2685]:pam_unix (gdm-password:session):
>     session opened for user sallea at AD by (uid=0)
>     polkitd(authority=local): Unregistered Authentication
>     Agent for session /org/freedesktop/ConsoleKit/Session4 (system bus
>     name :1.116 , object path /org/gnome/PolcyKit1/AuthenticationAgent,
>
> - Ignored:
>     local en_US) (disconnected from bus)
>
>     pam: gdm-password[2685]: pam_unix (gdm-password:session):
>     session closed for user sallea at AD
>     ------------------------------------------------------
>
>     and context file /etc/pam.d/password-auth
>     -----------------------------------
>     auth        required      pam_env.so
>     auth        sufficient    pam_unix.so nullok try_first_pass
>     auth        requisite     pam_succeed_if.so uid >= 500 quiet
>     auth        sufficient    pam_sss.so use_first_pass
>     auth        required      pam_deny.so
>
>     account     required      pam_unix.so
>     account     sufficient    pam_localuser.so
>     account     sufficient    pam_succeed_if.so uid < 500 quiet
>     account     [default=bad success=ok user_unknown=ignore] pam_sss.so
>     account     required      pam_permit.so
>
>     password    requisite     pam_cracklib.so try_first_pass retry=3 type=
>     password    sufficient    pam_unix.so sha512 shadow nullok
>     try_first_pass use_authtok
>     password    sufficient    pam_sss.so use_authtok
>     password    required      pam_deny.so
>
>     session     optional      pam_keyinit.so revoke
>     session     required      pam_limits.so
>     session     [success=1 default=ignore] pam_succeed_if.so service in
>     crond quiet use_uid
>     session     required      pam_unix.so
>
>     session     require       pam_sss.so
>     --------------------------------------
>     how to solve this problem?
>     thanks
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140820/89ca422e/attachment.htm>

More information about the Freeipa-users mailing list