If it works for one login type and not for the other, chances are there’s a different tin the pam configuration files. Each service, which would include gdm and sshd, has a configuration file in /etc/pam.d, which determines how authentication is done. If you are using sssd for your authentication (which I recommend) authentication is done with an auth entry using pam_sss. The file you want to look at it /var/log/auth.log. 

You don’t want anything that relies on the user having a Kerberos ticket to come before the pam_sss entry (which will likely be in common-auth, including from the sshd and gdm files). You also don’t want anything that might need access to files, including config files in the home directory, to come before the ticket is there.

On Jan 17, 2020, at 12:16 PM, Kristian Petersen via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

The host is enrolled in Red Hat IdM and (as I understand it) pulls a kerberos key from the IdM server on login when the user in from IdM.  From looking at the syslog, it authenticates me, begins a session, and then the failure occurs.  I can see that it has pulled down info about my user account in the syslog before it fails.  Some of the lines I see in the syslog are: 
zorin systemd[1]: Started Session 4 of user sample@chem.byu.edu.

kernel: [  134.496794] lockd: server fs2.chem.byu.edu not responding, still trying
.
.and after some other normal stuff we eventually we get to...
.
Jan 16 12:17:11 zorin kernel: [  153.305521] lockd: server fs2.chem.byu.edu not responding, still trying
Jan 16 12:17:11 zorin gnome-session[1545]: gnome-session-binary[1545]: WARNING: Application 'org.gnome.Shell.desktop' failed to register before timeout
Jan 16 12:17:11 zorin gnome-session[1545]: gnome-session-binary[1545]: CRITICAL: We failed, but the fail whale is dead. Sorry....
Jan 16 12:17:11 zorin gnome-session-binary[1545]: Unrecoverable failure in required component org.gnome.Shell.desktop
Jan 16 12:17:11 zorin gnome-session-binary[1545]: WARNING: Application 'org.gnome.Shell.desktop' failed to register before timeout
Jan 16 12:17:11 zorin gnome-session-binary[1545]: CRITICAL: We failed, but the fail whale is dead. Sorry....
Jan 16 12:17:11 zorin at-spi-bus-launcher[1649]: XIO:  fatal IO error 11 (Resource temporarily unavailable) on X server ":0"
On Fri, Jan 17, 2020 at 9:48 AM Simo Sorce <simo@redhat.com> wrote:
On Fri, 2020-01-17 at 09:35 -0700, Kristian Petersen via FreeIPA-users
wrote:
> Hey all,
>
> I am trying to get kerberized NFS home directories working in Ubuntu 18.04
> with the mapping info coming from IPA.  I can get them to mount on login in
> a multi-user target (terminal only), but not a graphical one (using gdm for
> login).  The messages I am seeing in the syslog seem to indicate that it is
> having issues communicating with the server hosting the NFS share and times
> out.  That doesn't make sense though since it works to mount in the
> terminal like I would expect.

Is GDM trying to mount or walk the home directory *before* performing
authentication?
Or are you tying to manually mount/walk in the home in a terminal and
failing?

A failure indicates that the rpc.gssd daemon cannot find kerberos
credentials of the user.

What kind of credential cache do you use? Is it the same between
graphical and console logins? Do you use rpc.gssd integrated with gss-
proxy or standalone?

Simo.

--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc






--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org