<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8"> <META NAME="GENERATOR" CONTENT="GtkHTML/4.6.6"> </HEAD> <BODY TEXT="#000000" BGCOLOR="#ffffff"> On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote: <BLOCKQUOTE TYPE=CITE> On 11/07/2013 12:59 PM, Dean Hunter wrote: <BLOCKQUOTE TYPE=CITE> On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote: <BLOCKQUOTE TYPE=CITE> On 11/07/2013 12:21 PM, Dean Hunter wrote: <BLOCKQUOTE TYPE=CITE> On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: <BLOCKQUOTE TYPE=CITE> <PRE> On Wed, 06 Nov 2013, Dean Hunter wrote: >After building a new VM and configuring the IPA 3.3.2 client, Gnome >seems to only perform a local log-in until the system is rebooted. SSH >works with IPA, but not Gnome. Is this correct? Is there anything less >disruptive than a reboot that I can do? </PRE> </BLOCKQUOTE> <BLOCKQUOTE TYPE=CITE> <PRE> Restart gdm.service? I'm not sure how gdm handles PAM auth. </PRE> </BLOCKQUOTE> I have tried: <BLOCKQUOTE> <TT>ipa-client-install ...</TT> <TT>systemctl restart gdm.service</TT> </BLOCKQUOTE> but the behavior remains the same. The Gnome log in screen accepts the user name, pauses about 25 seconds, then displays the log in screen again without any messages or indication of a problem. This is the same behavior I see when entering an incorrect local user name before configuring IPA. <PRE> _______________________________________________ Freeipa-users mailing list <A HREF="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</A> <A HREF="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</A> </PRE> </BLOCKQUOTE> Can it be a DIR cache issue and the fact that the directory can't is not created at proper time? </BLOCKQUOTE> Which directory, please? </BLOCKQUOTE> If you are hitting the DIR cache issue (which I am not sure is the case this is why I asked about AVCs) then the directory we are talking about is /var/run/usr/<uid> This directory should be created by kerberos library when it tries to authenticate a user. But it might not be able to since a parent directory /var/run/usr might not be created yet. This is one of the reasons why we decided not to continue the path of DIR cache but switched to using Kernel based ccache. <BLOCKQUOTE TYPE=CITE> <BLOCKQUOTE TYPE=CITE> Do you see any AVCs? </BLOCKQUOTE> </BLOCKQUOTE> Question still stands. </BLOCKQUOTE> I see no AVCs: <BLOCKQUOTE> <TT>[<A HREF="mailto:root@ipa">root@ipa</A> ~]# ausearch --message AVC</TT> <TT><no matches></TT> <TT>[<A HREF="mailto:root@ipa">root@ipa</A> ~]# </TT> </BLOCKQUOTE> I did find this in the man page for nsswitch.conf: <BLOCKQUOTE> <TT>FILES</TT> <TT> A service named SERVICE is implemented by a shared object library named</TT> <TT> libnss_SERVICE.so.X that resides in /lib.</TT> <TT> /etc/nsswitch.conf NSS configuration file.</TT> <TT> /lib/libnss_compat.so.X implements "compat" source.</TT> <TT> /lib/libnss_db.so.X implements "db" source.</TT> <TT> /lib/libnss_dns.so.X implements "dns" source.</TT> <TT> /lib/libnss_files.so.X implements "files" source.</TT> <TT> /lib/libnss_hesiod.so.X implements "hesiod" source.</TT> <TT> /lib/libnss_nis.so.X implements "nis" source.</TT> <TT> /lib/libnss_nisplus.so.X implements "nisplus" source.</TT> <TT>NOTES</TT> <TT> Within each process that uses nsswitch.conf, the entire file is read</TT> <TT> only once. If the file is later changed, the process will continue</TT> <TT> using the old configuration.</TT> </BLOCKQUOTE> Is this why the default configuration of nsswitch.conf is changing in Fedora 20, as noted on of the preceeding e-mails? </BODY> </HTML>