Hi again,
Sorry for delay ;
I checked domain log - the long version of the log attached.
Here is the short extract from the log - with focus on PAM;
I am suspicious , that PAM commands end with "logon_name = not set" whatever
that means;
As I wrote before, the login session is partially done - homedir is nfs+krb share and is
mounted
With proper nfsidmapping.
I login with fqn longina(a)n.c.domain
Best,
Longina
---
(Wed Nov 30 16:25:16 2016) [sssd[be[a.c.domain]]] [ad_gpo_access_check] (0x0400): POLICY
DECISION:
(Wed Nov 30 16:25:16 2016) [sssd[be[a.c.domain]]] [ad_gpo_access_check] (0x0400):
access_granted = 1
(Wed Nov 30 16:25:16 2016) [sssd[be[a.c.domain]]] [ad_gpo_access_check] (0x0400):
access_denied = 0
(Wed Nov 30 16:25:16 2016) [sssd[be[a.c.domain]]] [ad_gpo_access_done] (0x0400): GPO-based
access control successful.
.....
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): command:
SSS_PAM_AUTHENTICATE
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): domain:
n.c.domain
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): user:
longina(a)n.c.domain
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): service:
lightdm
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): tty: :0
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): ruser:
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): rhost:
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): authtok type:
1
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): newauthtok
type: 0
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): priv: 1
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): cli_pid:
1164
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): logon name:
not set
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [krb5_auth_queue_send] (0x1000): Wait
queue of user [longina(a)n.c.domain] is empty, running request [0x2290660] immediately.
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [krb5_setup] (0x4000): No mapping for:
longina(a)n.c.domain
......
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): command:
SSS_PAM_ACCT_MGMT
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): domain:
n.c.domain
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): user:
longina(a)n.c.domain
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): service:
lightdm
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): tty: :0
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): ruser:
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): rhost:
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): authtok type:
0
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): newauthtok
type: 0
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): priv: 1
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): cli_pid:
1164
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): logon name:
not set
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [sdap_access_send] (0x0400): Performing
access check for user [longina(a)n.c.domain]
......
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): command:
SSS_PAM_SETCRED
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): domain:
n.c.domain
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): user:
longina(a)n.c.domain
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): service:
lightdm
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): tty: :0
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): ruser:
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): rhost:
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): authtok type:
0
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): newauthtok
type: 0
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): priv: 1
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): cli_pid:
1164
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): logon name:
not set
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [be_pam_handler] (0x0100): Sending
result [0][n.c.domain]
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [sbus_dispatch] (0x4000): dbus conn:
0x21d6360
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [sbus_dispatch] (0x4000): Dispatching.
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [sbus_message_handler] (0x2000):
Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path
/org/freedesktop/sssd/dataprovider
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [sbus_get_sender_id_send] (0x2000): Not
a sysbus message, quit
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [be_req_set_domain] (0x0400): Changing
request domain from [a.c.domain] to [n.c.domain]
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [be_pam_handler] (0x0100): Got request
with the following data
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): command:
SSS_PAM_OPEN_SESSION
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): domain:
n.c.domain
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): user:
longina(a)n.c.domain
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): service:
lightdm
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): tty: :0
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): ruser:
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): rhost:
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): authtok type:
0
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): newauthtok
type: 0
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): priv: 1
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): cli_pid:
1164
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): logon name:
not set
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [be_pam_handler] (0x0100): Sending
result [0][n.c.domain]
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [sbus_dispatch] (0x4000): dbus conn:
0x21d6360
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [sbus_dispatch] (0x4000): Dispatching.
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [sbus_message_handler] (0x2000):
Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path
/org/freedesktop/sssd/dataprovider
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [sbus_get_sender_id_send] (0x2000): Not
a sysbus message, quit
-----Oprindelig meddelelse-----
Fra: Jakub Hrozek [mailto:jhrozek@redhat.com]
Sendt: 17. november 2016 09:25
Til: sssd-users(a)lists.fedorahosted.org
Emne: [SSSD-users] Re: sssd-13.4 can't login
On Wed, Nov 09, 2016 at 02:45:56PM +0000, Longina Przybyszewska wrote:
> Hi again,
> I still hang on that problem.
> Client and server are configured in AD trust realm environment.
> Client and server are joind to a.c.domain; User is from n.c.domain.
>
> During login sequence NFS-share (sec=krb5) homedir is mounted with
right nfsidmapping .
> User can't login because of access denied to the homedir.
>
> If I change mount parameter to sec=sys, user can successfully login.
>
> Machine's and user's credentials *are* valid ;
>
> ==
> Ticket cache: FILE:/tmp/krb5cc_332405654_B4r6Sy Default principal:
> longina(a)N.C.DOMAIN
>
> Valid starting Expires Service principal
> 11/09/2016 15:00:43 11/10/2016 01:00:43
krbtgt/N.C.DOMAIN(a)N.C.DOMAIN
> renew until 11/10/2016 01:00:43
> 11/09/2016 15:00:45 11/10/2016 01:00:43 krbtgt/C.SDU.DK(a)N.C.DOMAIN
> renew until 11/10/2016 01:00:43
> 11/09/2016 15:00:45 11/10/2016 01:00:43 nfs/adm-lptest.a.c.domain@
> renew until 11/10/2016 01:00:43
> 11/09/2016 15:00:45 11/10/2016 01:00:43 nfs/adm-
lptest.a.c.domain(a)A.C.DOMAIN
> renew until 11/10/2016 01:00:43 == Kerberos sequence for login
> ends with (krb5_child.log) :
>
> ==[sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match
> failed: [-1765328243][Can't find client principal longina(a)N.C.DOMAIN
> in cache collection]=
You can ignore this, since you are using the FILE: ccache which is doesn't
support collections, this error is harmless.
It looks like the krb5_child itself finished fine, according to:
> (Wed Nov 9 15:00:44 2016) [[sssd[krb5_child[1563]]]] [k5c_send_data]
> (0x0200): Received error code 0 (Wed Nov 9 15:00:44 2016)
> [[sssd[krb5_child[1563]]]] [pack_response_packet] (0x2000): response
packet size: [142] (Wed Nov 9 15:00:44 2016) [[sssd[krb5_child[1563]]]]
[k5c_send_data] (0x4000): Response sent.
> (Wed Nov 9 15:00:44 2016) [[sssd[krb5_child[1563]]]] [main] (0x0400):
> krb5_child completed successfully
So I would suggest to look into the domain logs as well. Chances are some
other part (maybe the access control later?) is failing.
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe
send an email to sssd-users-leave(a)lists.fedorahosted.org