[Freeipa-users] i inetgrated ipa server with AD but users AD can not loggin on server linux?
Dmitri Pal
dpal at redhat.com
Wed Aug 20 12:57:40 UTC 2014
On 08/20/2014 01:45 PM, alireza baghery wrote:
> hi
> Having a particularly weird problem. We have moved from AD(windows
> 2008 R2)
> to ipa server(centos 6.5). and i integrated ipa with AD
> machine linux joined with ipa and machine windowse joined with AD.
> users AD can loggin in cli mode in system linux (centos 6.5)
> but can not in GUI mod loggin
Do I get it right:
User from AD walks to a desktop console of the Linux system joined into
IPA that is in trust relations with AD and the GDE produces the
following log?
> error message in file /var/log/security
> ----------------------------------------------------------------------------------
> pam: gdm-password[2685]: pam_unix(gdm-password:auth):
> authentication failure: logname= uid=0 euid=0 tty=:0 ruser= rhost=
> rhost= user=sallea at AD
> pam: gdm-password[2685]: pam_sss(gdm-password:auth):
> user info message: your password will expire in 40 day
> pam: gdm-password[2685]:pam_sss(
> gdm-password:auth):
> authenticate success: logname= uid=0 euid=0 tty=:0 ruser= rhost=
> rhost= user=sallea at AD
> pam: gdm-password[2685]:pam_unix (gdm-password:session):
> session opened for user sallea at AD by (uid=0)
> polkitd(authority=local): Unregistered Authentication
> Agent for session /org/freedesktop/ConsoleKit/Session4 (system bus
> name :1.116 , object path /org/gnome/PolcyKit1/AuthenticationAgent,
>
> - Ignored:
> local en_US) (disconnected from bus)
>
> pam: gdm-password[2685]: pam_unix (gdm-password:session):
> session closed for user sallea at AD
> ------------------------------------------------------
>
> and context file /etc/pam.d/password-auth
> -----------------------------------
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_sss.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3 type=
> password sufficient pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
>
> session require pam_sss.so
> --------------------------------------
> how to solve this problem?
> thanks
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140820/89ca422e/attachment.htm>
More information about the Freeipa-users
mailing list