Hi,
I read Jakub Hrozeks post https://jhrozek.wordpress.com/2015/07/17/get-rid-of-calling-manually-calling... and found that it is exactly what I need. The only problem is that I am using Ubuntu and not Fedora or CentOS.
In sssd_pamlog i only see a SSS_PAM_OPEN_SESSION but no SSS_PAM_AUTHENTICATE - so most likely the pam config is still wrong. Is anybody here who got this working under Ubuntu?
This is how my /etc/pam.d/common-auth looks:
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_sss.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so
And this is my nsswitch.conf
passwd: compat group: compat shadow: compat
hosts: files wins mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns myhostname networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis sudoers: files sss
Any ideas on this matter would be highly appreciated!
Regards, Ronald
On Wed, May 31, 2017 at 11:24:48AM +0200, Ronald Wimmer via FreeIPA-users wrote:
Hi,
I read Jakub Hrozeks post https://jhrozek.wordpress.com/2015/07/17/get-rid-of-calling-manually-calling... and found that it is exactly what I need. The only problem is that I am using Ubuntu and not Fedora or CentOS.
In sssd_pamlog i only see a SSS_PAM_OPEN_SESSION but no SSS_PAM_AUTHENTICATE
This would mean that pam_unix authenticated the user. Does the user exists in /etc/passwd and /etc/shadow as well?
bye, Sumit
- so most likely the pam config is still wrong. Is anybody here who got this
working under Ubuntu?
This is how my /etc/pam.d/common-auth looks:
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_sss.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so
And this is my nsswitch.conf
passwd: compat group: compat shadow: compat
hosts: files wins mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns myhostname networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis sudoers: files sss
Any ideas on this matter would be highly appreciated!
Regards, Ronald _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On 2017-05-31 13:25, Sumit Bose via FreeIPA-users wrote:
On Wed, May 31, 2017 at 11:24:48AM +0200, Ronald Wimmer via FreeIPA-users wrote:
Hi,
I read Jakub Hrozeks post https://jhrozek.wordpress.com/2015/07/17/get-rid-of-calling-manually-calling... and found that it is exactly what I need. The only problem is that I am using Ubuntu and not Fedora or CentOS.
In sssd_pamlog i only see a SSS_PAM_OPEN_SESSION but no SSS_PAM_AUTHENTICATE
This would mean that pam_unix authenticated the user. Does the user exists in /etc/passwd and /etc/shadow as well?
Of course. My local user exists in both files.
sssd_pam.log shows 4 times SSS_PAM_OPEN_SESSION 1) User: lightdm 2) User: lightdm@my.domain.at 3) User: mylocaluser 4) User: mylocaluser@my.domain.at
Number 4 ist the most promising but mylocaluser should be myaduser@my.domain.at. Here's the log:
(Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_OPEN_SESSION (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: my.domain.at (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): user: mylocaluser@my.domain.at (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): service: lightdm (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: :0 (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 2538 (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: mylocaluser (Tue Apr 25 13:17:01 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x55e6c039fa20 (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Tue Apr 25 13:17:01 2017) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x55e6be26eea0:3:mylocaluser@my.domain.at@my.domain.at]
On Wed, May 31, 2017 at 02:36:58PM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 2017-05-31 13:25, Sumit Bose via FreeIPA-users wrote:
On Wed, May 31, 2017 at 11:24:48AM +0200, Ronald Wimmer via FreeIPA-users wrote:
Hi,
I read Jakub Hrozeks post https://jhrozek.wordpress.com/2015/07/17/get-rid-of-calling-manually-calling... and found that it is exactly what I need. The only problem is that I am using Ubuntu and not Fedora or CentOS.
In sssd_pamlog i only see a SSS_PAM_OPEN_SESSION but no SSS_PAM_AUTHENTICATE
This would mean that pam_unix authenticated the user. Does the user exists in /etc/passwd and /etc/shadow as well?
Of course. My local user exists in both files.
Did you use the local password or the remote password? Are they the same or different?
sssd_pam.log shows 4 times SSS_PAM_OPEN_SESSION
- User: lightdm
- User: lightdm@my.domain.at
- User: mylocaluser
- User: mylocaluser@my.domain.at
Number 4 ist the most promising but mylocaluser should be myaduser@my.domain.at. Here's the log:
(Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_OPEN_SESSION (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: my.domain.at (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): user: mylocaluser@my.domain.at (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): service: lightdm (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: :0 (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 2538 (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: mylocaluser (Tue Apr 25 13:17:01 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x55e6c039fa20 (Tue Apr 25 13:17:01 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Tue Apr 25 13:17:01 2017) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x55e6be26eea0:3:mylocaluser@my.domain.at@my.domain.at] _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On 2017-05-31 20:33, Jakub Hrozek via FreeIPA-users wrote:
On Wed, May 31, 2017 at 02:36:58PM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 2017-05-31 13:25, Sumit Bose via FreeIPA-users wrote:
On Wed, May 31, 2017 at 11:24:48AM +0200, Ronald Wimmer via FreeIPA-users wrote:
Hi,
I read Jakub Hrozeks post https://jhrozek.wordpress.com/2015/07/17/get-rid-of-calling-manually-calling... and found that it is exactly what I need. The only problem is that I am using Ubuntu and not Fedora or CentOS.
In sssd_pamlog i only see a SSS_PAM_OPEN_SESSION but no SSS_PAM_AUTHENTICATE
This would mean that pam_unix authenticated the user. Does the user exists in /etc/passwd and /etc/shadow as well?
Of course. My local user exists in both files.
Did you use the local password or the remote password? Are they the same or different?
The passwords are not the same and I tried it with my local password.
freeipa-users@lists.fedorahosted.org