another issue to beware of. In my copy of ubuntu 18, common-auth has pam_unix before
pam_sss, and its set so that if pam_unix succeeds, it skips pam_sss. That means that if
the user has an entry in /etc/passwd and they type a password matching that entry, it will
skip the Kerberos authentication, and you’ll end up without a Kerberos credential.
On Jan 17, 2020, at 4:33 PM, Charles Hedrick via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
If it works for one login type and not for the other, chances are there’s a different tin
the pam configuration files. Each service, which would include gdm and sshd, has a
configuration file in /etc/pam.d, which determines how authentication is done. If you are
using sssd for your authentication (which I recommend) authentication is done with an auth
entry using pam_sss. The file you want to look at it /var/log/auth.log.
You don’t want anything that relies on the user having a Kerberos ticket to come before
the pam_sss entry (which will likely be in common-auth, including from the sshd and gdm
files). You also don’t want anything that might need access to files, including config
files in the home directory, to come before the ticket is there.
On Jan 17, 2020, at 12:16 PM, Kristian Petersen via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
The host is enrolled in Red Hat IdM and (as I understand it) pulls a kerberos key from the
IdM server on login when the user in from IdM. From looking at the syslog, it
authenticates me, begins a session, and then the failure occurs. I can see that it has
pulled down info about my user account in the syslog before it fails. Some of the lines I
see in the syslog are:
zorin systemd[1]: Started Session 4 of user
sample@chem.byu.edu<mailto:sample@chem.byu.edu>.
kernel: [ 134.496794] lockd: server
fs2.chem.byu.edu<http://fs2.chem.byu.edu/> not
responding, still trying
.
.and after some other normal stuff we eventually we get to...
.
Jan 16 12:17:11 zorin kernel: [ 153.305521] lockd: server
fs2.chem.byu.edu<http://fs2.chem.byu.edu/> not responding, still trying
Jan 16 12:17:11 zorin gnome-session[1545]: gnome-session-binary[1545]: WARNING:
Application 'org.gnome.Shell.desktop' failed to register before timeout
Jan 16 12:17:11 zorin gnome-session[1545]: gnome-session-binary[1545]: CRITICAL: We
failed, but the fail whale is dead. Sorry....
Jan 16 12:17:11 zorin gnome-session-binary[1545]: Unrecoverable failure in required
component org.gnome.Shell.desktop
Jan 16 12:17:11 zorin gnome-session-binary[1545]: WARNING: Application
'org.gnome.Shell.desktop' failed to register before timeout
Jan 16 12:17:11 zorin gnome-session-binary[1545]: CRITICAL: We failed, but the fail whale
is dead. Sorry....
Jan 16 12:17:11 zorin at-spi-bus-launcher[1649]: XIO: fatal IO error 11 (Resource
temporarily unavailable) on X server ":0"
On Fri, Jan 17, 2020 at 9:48 AM Simo Sorce
<simo@redhat.com<mailto:simo@redhat.com>> wrote:
On Fri, 2020-01-17 at 09:35 -0700, Kristian Petersen via FreeIPA-users
wrote:
Hey all,
I am trying to get kerberized NFS home directories working in Ubuntu 18.04
with the mapping info coming from IPA. I can get them to mount on login in
a multi-user target (terminal only), but not a graphical one (using gdm for
login). The messages I am seeing in the syslog seem to indicate that it is
having issues communicating with the server hosting the NFS share and times
out. That doesn't make sense though since it works to mount in the
terminal like I would expect.
Is GDM trying to mount or walk the home directory *before* performing
authentication?
Or are you tying to manually mount/walk in the home in a terminal and
failing?
A failure indicates that the rpc.gssd daemon cannot find kerberos
credentials of the user.
What kind of credential cache do you use? Is it the same between
graphical and console logins? Do you use rpc.gssd integrated with gss-
proxy or standalone?
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...