[Freeipa-users] i inetgrated ipa server with AD but users AD can not loggin on server linux?
alireza baghery
baghery.jone at gmail.com
Wed Aug 20 14:29:21 UTC 2014
yes right. ipa trust relation with AD and subdomain AD. yes gde produce log
On Wed, Aug 20, 2014 at 5:27 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 08/20/2014 01:45 PM, alireza baghery wrote:
>
> hi
> Having a particularly weird problem. We have moved from AD(windows
> 2008 R2)
> to ipa server(centos 6.5). and i integrated ipa with AD
> machine linux joined with ipa and machine windowse joined with AD.
> users AD can loggin in cli mode in system linux (centos 6.5)
> but can not in GUI mod loggin
>
>
>
> Do I get it right:
>
> User from AD walks to a desktop console of the Linux system joined into
> IPA that is in trust relations with AD and the GDE produces the following
> log?
>
>
> error message in file /var/log/security
>
> ----------------------------------------------------------------------------------
> pam: gdm-password[2685]: pam_unix(gdm-password:auth):
> authentication failure: logname= uid=0 euid=0 tty=:0 ruser= rhost=
> rhost= user=sallea at AD
> pam: gdm-password[2685]: pam_sss(gdm-password:auth):
> user info message: your password will expire in 40 day
> pam: gdm-password[2685]:pam_sss(
> gdm-password:auth):
> authenticate success: logname= uid=0 euid=0 tty=:0 ruser= rhost=
> rhost= user=sallea at AD
> pam: gdm-password[2685]:pam_unix (gdm-password:session):
> session opened for user sallea at AD by (uid=0)
> polkitd(authority=local): Unregistered Authentication
> Agent for session /org/freedesktop/ConsoleKit/Session4 (system bus
> name :1.116 , object path /org/gnome/PolcyKit1/AuthenticationAgent,
>
> - Ignored:
> local en_US) (disconnected from bus)
>
> pam: gdm-password[2685]: pam_unix (gdm-password:session):
> session closed for user sallea at AD
> ------------------------------------------------------
>
> and context file /etc/pam.d/password-auth
> -----------------------------------
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_sss.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3 type=
> password sufficient pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
>
> session require pam_sss.so
> --------------------------------------
> how to solve this problem?
> thanks
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140820/8be48b2e/attachment.htm>
More information about the Freeipa-users
mailing list