[Freeipa-users] i inetgrated ipa server with AD but users AD can not loggin on server linux?
Dmitri Pal
dpal at redhat.com
Wed Aug 20 15:00:14 UTC 2014
On 08/20/2014 04:29 PM, alireza baghery wrote:
> yes right. ipa trust relation with AD and subdomain AD. yes gde
> produce log
It seems that you have some custom polkit policy that fails to load. Did
you play with some polkit policies?
>
>
> On Wed, Aug 20, 2014 at 5:27 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 08/20/2014 01:45 PM, alireza baghery wrote:
>> hi
>> Having a particularly weird problem. We have moved from
>> AD(windows 2008 R2)
>> to ipa server(centos 6.5). and i integrated ipa with AD
>> machine linux joined with ipa and machine windowse joined
>> with AD.
>> users AD can loggin in cli mode in system linux (centos 6.5)
>> but can not in GUI mod loggin
>
>
> Do I get it right:
>
> User from AD walks to a desktop console of the Linux system joined
> into IPA that is in trust relations with AD and the GDE produces
> the following log?
>
>
>> error message in file /var/log/security
>> ----------------------------------------------------------------------------------
>> pam: gdm-password[2685]: pam_unix(gdm-password:auth):
>> authentication failure: logname= uid=0 euid=0 tty=:0 ruser=
>> rhost=
>> rhost= user=sallea at AD
>> pam: gdm-password[2685]: pam_sss(gdm-password:auth):
>> user info message: your password will expire in 40 day
>> pam: gdm-password[2685]:pam_sss(
>> gdm-password:auth):
>> authenticate success: logname= uid=0 euid=0 tty=:0 ruser= rhost=
>> rhost= user=sallea at AD
>> pam: gdm-password[2685]:pam_unix (gdm-password:session):
>> session opened for user sallea at AD by (uid=0)
>> polkitd(authority=local): Unregistered Authentication
>> Agent for session /org/freedesktop/ConsoleKit/Session4
>> (system bus
>> name :1.116 , object path
>> /org/gnome/PolcyKit1/AuthenticationAgent,
>>
>> - Ignored:
>> local en_US) (disconnected from bus)
>>
>> pam: gdm-password[2685]: pam_unix (gdm-password:session):
>> session closed for user sallea at AD
>> ------------------------------------------------------
>>
>> and context file /etc/pam.d/password-auth
>> -----------------------------------
>> auth required pam_env.so
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 500 quiet
>> auth sufficient pam_sss.so use_first_pass
>> auth required pam_deny.so
>>
>> account required pam_unix.so
>> account sufficient pam_localuser.so
>> account sufficient pam_succeed_if.so uid < 500 quiet
>> account [default=bad success=ok user_unknown=ignore]
>> pam_sss.so
>> account required pam_permit.so
>>
>> password requisite pam_cracklib.so try_first_pass
>> retry=3 type=
>> password sufficient pam_unix.so sha512 shadow nullok
>> try_first_pass use_authtok
>> password sufficient pam_sss.so use_authtok
>> password required pam_deny.so
>>
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> session [success=1 default=ignore] pam_succeed_if.so
>> service in
>> crond quiet use_uid
>> session required pam_unix.so
>>
>> session require pam_sss.so
>> --------------------------------------
>> how to solve this problem?
>> thanks
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140820/150a9e0b/attachment.htm>
More information about the Freeipa-users
mailing list