[Freeipa-users] login/su problem on ubuntu

[Kees Bakker]

Perhaps you need to add a HBAC Service for lightdm. At least, that's what
I did. And also to add that service in the HBAC rules for the hosts on which
the users may login.

On 28-02-17 21:01, Jakub Hrozek wrote:
> On Tue, Feb 28, 2017 at 06:13:42PM +0100, Karl Forner wrote:
>> I just registered a new computer running ubuntu to our freeIPA system.
>> Some users (all I tried except me) are not able to login using lightdm.
>>
>> The message on screen is "Permission denied".
>> On the system the user (joe) is created, its home directory also,  but it
>> only contains a .kde/ subdir and a .bash_history.
>>
>> On my session, if I type:
>> $sudo su - joe
>> I get:
>> su: Permission denied
>> (Ignored)
>>
>>
>> The only log file that is modified is /var/log/auth.log.
>> The relevant lines during the graphical login are:
>>
>> Feb 28 16:44:29 nyx lightdm: pam_unix(lightdm:auth): authentication
>> failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=joe
>> Feb 28 16:44:41 nyx lightdm: pam_sss(lightdm:auth): authentication success;
>> logname= uid=0 euid=0 tty=:0 ruser= rhost= user=joe
>> Feb 28 16:44:41 nyx lightdm: pam_kwallet(lightdm:auth): pam_sm_authenticate
>> Feb 28 16:44:43 nyx lightdm: pam_sss(lightdm:account): Access denied for
>> user joe: 6 (Permission denied)
>> Feb 28 16:44:54 nyx lightdm: pam_succeed_if(lightdm:auth): requirement
>> "user ingroup nopasswdlogin" not met by user "joe"
>>
>> The relevant lines during the "sudo su - joe":
>> Feb 28 16:48:32 nyx su[26394]: pam_sss(su:account): Access denied for user
>> joe: 6 (Permission denied)
> You need to enable SSSD debugging:
>     https://fedorahosted.org/sssd/wiki/Troubleshooting
> and check the sssd logs, probably the HBAC access control is kicking you
> out.
>