Hello,
apologies for the late reply, due to the holidays.
I had a call from a user this morning, she had to do multiple login attempts and reboot several times before she could login.
Trying to follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
I assume the general setup works, as troubles only show up when password expires. On the users laptop:
[root@lremijsen ~]# systemctl status sssd ● sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/sssd.service.d └─journal.conf Active: active (running) since do 2018-01-04 08:42:01 CET; 2h 35min ago Process: 730 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS) Main PID: 757 (sssd) CGroup: /system.slice/sssd.service ├─757 /usr/sbin/sssd -D -f ├─767 /usr/libexec/sssd/sssd_be --domain network.cawdekempen.be --uid 0 --gid 0 --debug-to-files ├─774 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files ├─775 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files ├─776 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files ├─777 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files └─778 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 2 jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 2 jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 2
In /var/log/secure there is always a clear message that the password is expired:
Jan 4 10:06:13 lremijsen mate-screensaver-dialog: pam_sss(mate-screensaver:auth): authentication failure; logname= uid=382900705 euid=382900705 tty=:0.0 ruser= rhost= user=lremijsen Jan 4 10:06:13 lremijsen mate-screensaver-dialog: pam_sss(mate-screensaver:auth): received for user lremijsen: 12 (Authenticatietoken is niet langer geldig; nieuwe is vereist) Jan 4 10:06:14 lremijsen mate-screensaver-dialog: pam_sss(mate-screensaver:account): User info message: Wachtwoord verlopen. Verander nu uw wachtwoord.
sssd_pam.log only shows:
(Tue Jan 2 13:05:46 2018) [sssd[pam]] [orderly_shutdown] (0x0010): SIGTERM: killing children
sssd_network.cawdekempen.be.log only shows:
(Tue Jan 2 13:05:46 2018) [sssd[be[network.cawdekempen.be]]] [orderly_shutdown] (0x0010): SIGTERM: killing children
I suppose I have to increase the log levels?
Many many thanks for the help!
greetings, J.
2017-12-21 22:01 GMT+01:00 Jakub Hrozek via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
This sounds like a bug, could you follow https://docs.pagure.org/SSSD. sssd/users/troubleshooting.html, gather logs from the pam and domain sections and post them here? If the password is expired, then pam_sss should send a message to the login manager which the login manager should display.
The logs would at least show if the deamon is sending the message to pam_sss…
On 21 Dec 2017, at 09:39, Johan Vermeulen via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
Hello All,
We run some 200 Centos7/Mate laptops, since last year they authenticate
against freeipa.
Lightdm/Mate are installed using epel repo.
On Centos7.3/Lightdm 1.10.6-4.el7 things were al right, when a password
expired, users would get the passwd expired field, the "new password" field en warnings if the made a mistake.
Since upgrading to Centos7.4/Lightdm 1.25.0-1.el7 things go terribly
wrong. Users very often get no warning if a password expired, just an authentication failure.
Or they get no message at all.
If at that point you got to tty....and log in you do get the warnings on
the command line.
The log files /var/log/secure also give clear password expired messages,
only the user sees nothing.
This is a big problem because users cannot login and cannot work without
interventions.
Many thanks for any help.
Greetings, J. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org