[Freeipa-users] Authenticate on GNOME display manager with freeipa
Jason B. Nance
jason at tresgeek.net
Wed May 10 15:40:58 UTC 2017
Make sure you are using "reply-all" as your replies are falling off the mailing list and coming to me only.
> They do have some of these lines.
Assuming your common-* modules are setup correctly (which you can verify by looking at your ssh module and seeing if it uses common-* or if the sssd libraries are in there directly) at this point we'll need to go to logs. Tail your logs while attempting to do a GDM login and compare them to a tail when doing an SSH login.
j
> These are the contents:
>
>
> gdm-password:
>
> #%PAM-1.0
> auth requisite pam_nologin.so
> auth required pam_succeed_if.so user != root quiet_success
> @include common-auth
> auth optional pam_gnome_keyring.so
> @include common-account
> # SELinux needs to be the first session rule. This ensures that any
> # lingering context has been cleared. Without this it is possible
> # that a module could execute code in the wrong domain.
> session [success=ok ignore=ignore module_unknown=ignore
> default=bad] pam_selinux.so close
> session required pam_loginuid.so
> # SELinux needs to intervene at login time to ensure that the process
> # starts in the proper default security context. Only sessions which are
> # intended to run in the user's context should be run after this.
> session [success=ok ignore=ignore module_unknown=ignore
> default=bad] pam_selinux.so open
> session optional pam_keyinit.so force revoke
> session required pam_limits.so
> session required pam_env.so readenv=1
> session required pam_env.so readenv=1 user_readenv=1
> envfile=/etc/default/locale
> @include common-session
> session optional pam_gnome_keyring.so auto_start
> @include common-password
>
>
> gdm-autologin:
>
> #%PAM-1.0
> auth requisite pam_nologin.so
> auth required pam_succeed_if.so user != root quiet_success
> auth required pam_permit.so
> @include common-account
> # SELinux needs to be the first session rule. This ensures that any
> # lingering context has been cleared. Without this it is possible
> # that a module could execute code in the wrong domain.
> session [success=ok ignore=ignore module_unknown=ignore
> default=bad] pam_selinux.so close
> session required pam_loginuid.so
> # SELinux needs to intervene at login time to ensure that the process
> # starts in the proper default security context. Only sessions which are
> # intended to run in the user's context should be run after this.
> session [success=ok ignore=ignore module_unknown=ignore
> default=bad] pam_selinux.so open
> session optional pam_keyinit.so force revoke
> session required pam_limits.so
> session required pam_env.so readenv=1
> session required pam_env.so readenv=1 user_readenv=1
> envfile=/etc/default/locale
> @include common-session
> @include common-password
>
>
> gdm-launch-environment:
>
> #%PAM-1.0
> auth requisite pam_nologin.so
> auth required pam_permit.so
> @include common-account
> session optional pam_keyinit.so force revoke
> session required pam_limits.so
> session required pam_env.so readenv=1
> session required pam_env.so readenv=1 user_readenv=1
> envfile=/etc/default/locale
> @include common-session
> @include common-password
>
> Thanks already!
>
> On 10-May-17 3:40 AM, Jason B. Nance wrote:
>>> I have three files:
>>>
>>> /etc/pam.d/gdm-autologin
>>>
>>> /etc/pam.d/gdm-launch-environment
>>>
>>> /etc/pam.d/gdm-password
>>>
>>> They all have a line "@ include common-session"
>>>
>>> The common-session file has a line "session optional pam_sss.so"
>>>
>>> I don't really know what to compare to the SSH module (which I guess is
>>> the /etc/pam.d/sshd file)
>> Do they only have session lines and no auth, account, or password?
>>
More information about the Freeipa-users
mailing list