<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <div class="moz-cite-prefix">On 08/20/2014 01:45 PM, alireza baghery wrote: </div> <blockquote cite="mid:CAPyvVhwajhK+kV-c4BHqhoPEH+g2_h2EcbCXgOTBEfm4U1SWMg@mail.gmail.com" type="cite"> <div dir="ltr"> hi Having a particularly weird problem. We have moved from AD(windows 2008 R2) to ipa server(centos 6.5). and i integrated ipa with AD machine linux joined with ipa and machine windowse joined with AD. users AD can loggin in cli mode in system linux (centos 6.5) but can not in GUI mod loggin </div> </blockquote> Do I get it right: User from AD walks to a desktop console of the Linux system joined into IPA that is in trust relations with AD and the GDE produces the following log? <blockquote cite="mid:CAPyvVhwajhK+kV-c4BHqhoPEH+g2_h2EcbCXgOTBEfm4U1SWMg@mail.gmail.com" type="cite"> <div dir="ltr"> error message in file /var/log/security ---------------------------------------------------------------------------------- pam: gdm-password[2685]: pam_unix(gdm-password:auth): authentication failure: logname= uid=0 euid=0 tty=:0 ruser= rhost= rhost= user=sallea@AD pam: gdm-password[2685]: pam_sss(gdm-password:auth): user info message: your password will expire in 40 day pam: gdm-password[2685]:pam_sss( <div id=":1hg" class="">gdm-password:auth): authenticate success: logname= uid=0 euid=0 tty=:0 ruser= rhost= rhost= user=sallea@AD pam: gdm-password[2685]:pam_unix (gdm-password:session): session opened for user sallea@AD by (uid=0) polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session4 (system bus name :1.116 , object path /org/gnome/PolcyKit1/AuthenticationAgent, - Ignored: local en_US) (disconnected from bus) pam: gdm-password[2685]: pam_unix (gdm-password:session): session closed for user sallea@AD ------------------------------------------------------ and context file /etc/pam.d/password-auth ----------------------------------- auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session require pam_sss.so -------------------------------------- how to solve this problem? thanks</div> </div> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </body> </html>