[Freeipa-users] login auth fails then success

Larry Rosen larry.rosen at JDRSolutions.com
Tue Sep 20 14:03:38 UTC 2016 

Thanks, that explains a lot (I didn't catch the difference in auth services).
Would this be mitigated by putting sss in front of files in nsswitch.conf)?

/etc/nsswitchconf:
passwd:     files sss
shadow:     files sss
group:      files sss

Date: Sun, 18 Sep 2016 22:14:59 +0200
From: Jakub Hrozek <jhrozek at redhat.com>
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] login auth fails then success
Message-ID: <20160918201459.uhijnc4gyfykgzic at hendrix>
Content-Type: text/plain; charset=us-ascii

On Fri, Sep 16, 2016 at 06:23:03PM +0000, Larry Rosen wrote:
> Sorry I thought I had pasted these previously:
> 
> What other logs do I need to add (maybe from the IPA server)?
> 
> Client system's /var/log/secure:
> 
> Sep 13 19:12:33 il10-app-xfs udcs: pam_unix(login:auth): 
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  
> user=il10web Sep 13 19:12:33 il10-app-xfs udcs: pam_sss(login:auth): 
> authentication success; logname= uid=0 euid=0 tty= ruser= rhost= 
> user=il10web Sep 13 19:18:11 il10-app-xfs udcs: pam_unix(login:auth): 
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  
> user=il10web Sep 13 19:18:11 il10-app-xfs udcs: pam_sss(login:auth): 
> authentication success; logname= uid=0 euid=0 tty= ruser= rhost= 
> user=il10web Sep 13 19:22:52 il10-app-xfs udcs: pam_unix(login:auth): 
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  
> user=il10web Sep 13 19:22:53 il10-app-xfs udcs: pam_sss(login:auth): 
> authentication success; logname= uid=0 euid=0 tty= ruser= rhost= 
> user=il10web Sep 13 19:23:49 il10-app-xfs udcs: pam_unix(login:auth): 
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  
> user=il10web Sep 13 19:23:49 il10-app-xfs udcs: pam_sss(login:auth): 
> authentication success; logname= uid=0 euid=0 tty= ruser= rhost= 
> user=il10web Sep 13 19:28:24 il10-app-xfs udcs: pam_unix(login:auth): 
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  
> user=il10web Sep 13 19:28:24 il10-app-xfs udcs: pam_sss(login:auth): 
> authentication success; logname= uid=0 euid=0 tty= ruser= rhost= 
> user=il10web Sep 13 19:29:27 il10-app-xfs udcs: pam_unix(login:auth): 
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  
> user=il10web Sep 13 19:29:27 il10-app-xfs udcs: pam_sss(login:auth): 
> authentication success; logname= uid=0 euid=0 tty= ruser= rhost= 
> user=il10web

I think these are expected. Authentication using pam_unix fails because pam_unix doesn't know this particular users and then pam_sss succeeds. I wonder if the best way to deal with the log messages is just to configure logrotate a bit more aggressively?

> 
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Friday, September 16, 2016 1:39 PM
> To: Larry Rosen <larry.rosen at JDRSolutions.com>; 
> freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] login auth fails then success
> 
> Larry Rosen wrote:
> > We have a web app that logs in using a service (automated login 
> > user, non-expiring, non-failure count) account that leaves these log 
> > entries all day long.  This does not appear to cause any problems, 
> > it just make my logs grow unnecessarily and creates a lot of "noise" in the log.
> >
> > Any ideas why it initially fails and then works?**
> 
> Logs where? Can we see them?
> 
> rob
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list