<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 08/20/2014 01:45 PM, alireza baghery
wrote:<br>
</div>
<blockquote
cite="mid:CAPyvVhwajhK+kV-c4BHqhoPEH+g2_h2EcbCXgOTBEfm4U1SWMg@mail.gmail.com"
type="cite">
<div dir="ltr"> hi<br>
Having a particularly weird problem. We have moved from
AD(windows 2008 R2)<br>
to ipa server(centos 6.5). and i integrated ipa with AD<br>
machine linux joined with ipa and machine windowse joined
with AD.<br>
users AD can loggin in cli mode in system linux (centos
6.5)<br>
but can not in GUI mod loggin<br>
</div>
</blockquote>
<br>
<br>
Do I get it right:<br>
<br>
User from AD walks to a desktop console of the Linux system joined
into IPA that is in trust relations with AD and the GDE produces the
following log?<br>
<br>
<blockquote
cite="mid:CAPyvVhwajhK+kV-c4BHqhoPEH+g2_h2EcbCXgOTBEfm4U1SWMg@mail.gmail.com"
type="cite">
<div dir="ltr">
error message in file /var/log/security<br>
----------------------------------------------------------------------------------<br>
pam: gdm-password[2685]: pam_unix(gdm-password:auth):<br>
authentication failure: logname= uid=0 euid=0 tty=:0 ruser=
rhost=<br>
rhost= user=sallea@AD<br>
pam: gdm-password[2685]: pam_sss(gdm-password:auth):<br>
user info message: your password will expire in 40 day<br>
pam: gdm-password[2685]:pam_sss(
<div id=":1hg" class="">gdm-password:auth):<br>
authenticate success: logname= uid=0 euid=0 tty=:0 ruser=
rhost=<br>
rhost= user=sallea@AD<br>
pam: gdm-password[2685]:pam_unix (gdm-password:session):<br>
session opened for user sallea@AD by (uid=0)<br>
polkitd(authority=local): Unregistered Authentication<br>
Agent for session /org/freedesktop/ConsoleKit/Session4
(system bus<br>
name :1.116 , object path
/org/gnome/PolcyKit1/AuthenticationAgent,<br>
<br>
- Ignored:<br>
local en_US) (disconnected from bus)<br>
<br>
pam: gdm-password[2685]: pam_unix (gdm-password:session):<br>
session closed for user sallea@AD<br>
------------------------------------------------------<br>
<br>
and context file /etc/pam.d/password-auth<br>
-----------------------------------<br>
auth required pam_env.so<br>
auth sufficient pam_unix.so nullok
try_first_pass<br>
auth requisite pam_succeed_if.so uid >= 500
quiet<br>
auth sufficient pam_sss.so use_first_pass<br>
auth required pam_deny.so<br>
<br>
account required pam_unix.so<br>
account sufficient pam_localuser.so<br>
account sufficient pam_succeed_if.so uid < 500
quiet<br>
account [default=bad success=ok user_unknown=ignore]
pam_sss.so<br>
account required pam_permit.so<br>
<br>
password requisite pam_cracklib.so try_first_pass
retry=3 type=<br>
password sufficient pam_unix.so sha512 shadow nullok<br>
try_first_pass use_authtok<br>
password sufficient pam_sss.so use_authtok<br>
password required pam_deny.so<br>
<br>
session optional pam_keyinit.so revoke<br>
session required pam_limits.so<br>
session [success=1 default=ignore] pam_succeed_if.so
service in<br>
crond quiet use_uid<br>
session required pam_unix.so<br>
<br>
session require pam_sss.so<br>
--------------------------------------<br>
how to solve this problem?<br>
thanks</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>