On Mon, Jan 08, 2018 at 11:27:47AM +0100, Johan Vermeulen wrote:
Hello All,
I "ve set up a new machine for this test and increased the log levels to 6. Config for Freeipa-client is done with ipa-client-install, I use chrony in stead of ntp and Selinux is enabled.
When user logs in /var/log/secure indicates:
[root@node1 ~]# tail -f /var/log/secure Jan 5 09:27:17 node1 lightdm: pam_sss(lightdm:auth): received for user jvanvlasselaer: 7 (Authentication failure) Jan 5 09:27:29 node1 lightdm: pam_sss(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jvanvlasselaer Jan 5 09:27:29 node1 lightdm: pam_sss(lightdm:auth): received for user jvanvlasselaer: 12 (Authentication token is no longer valid; new one required) Jan 5 09:27:29 node1 lightdm: pam_sss(lightdm:account): User info message: Password expired. Change your password now. Jan 5 09:27:29 node1 lightdm: pam_unix(lightdm:chauthtok): user "jvanvlasselaer" does not exist in /etc/passwd
But the lightdm gui screen indicates nothing.
(Fri Jan 5 09:27:29 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [12 (Authenticatietoken is niet langer geldig; nieuwe is vereist)][network.cawdekempen.be] (Fri Jan 5 09:27:29 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [12]: Authenticatietoken is niet langer geldig; nieuwe is vereist. (Fri Jan 5 09:27:29 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. (Fri Jan 5 09:27:29 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 39
Here I at least see that the message did reach the sssd_pam process and I don't see anything that would indicate that the message was filtered out (OTOH, the debugging is not stellar in this area of code..)
I've never used lightdm, did you maybe test with some other login method, like login to the console or su from another non-root user?
Does it help to increase pam_verbosity in the [pam] section (see man sssd.conf for a description) ?