2011/1/27 Stephen Gallagher <sgallagh@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/27/2011 10:06 AM, Andy Kannberg wrote:
> Hi,
>
> I've got the SSSD packages from RHEL 5.6 installed on a RHEL 5.4 system.
> SSSD works fine on the command line and when logging in via KDE. Also
> logging on with cached credentials (when network is off) works like a
> charm, on the command line.
> When I want to login with cached credentials via KDE (network
> disabled.), it goes wrong. KDE throws me a new login prompt, saying I
> used te wrong userid or password.
>
> When I check the /var/log/secure file, I see the following happens:
>
>
> Jan 27 15:59:49 hpdw0001 su: pam_unix(su-l:session): session closed for
> user root
> Jan 27 16:00:01 hpdw0001 crond[21924]: pam_unix(crond:session): session
> opened for user root by (uid=0)
> Jan 27 16:00:01 hpdw0001 crond[21924]: pam_unix(crond:session): session
> closed for user root
> Jan 27 16:00:20 hpdw0001 gdm[3744]: pam_unix(gdm:session): session
> closed for user nxp21358
> Jan 27 16:00:20 hpdw0001 gdm[3744]: pam_console(gdm:session): getpwnam
> failed for nxp21358
> Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
> unknown
> Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
> failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
> Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info
> message: Authenticated with cached credentials.
> Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
> success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
> Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
> retrieving information about user nxp21358
> Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
> identify user (from getpwnam(nxp21358))
> Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
> unknown
> Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
> failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
> Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info
> message: Authenticated with cached credentials.
> Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
> success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
> Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
> retrieving information about user nxp21358
> Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
> identify user (from getpwnam(nxp21358))
> Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
> unknown
> Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
> failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
> Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info
> message: Authenticated with cached credentials.
> Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
> success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
> Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
> retrieving information about user nxp21358
> Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
> identify user (from getpwnam(nxp21358))
> Jan 27 16:01:01 hpdw0001 crond[21958]: pam_unix(crond:session): session
> opened for user root by (uid=0)
> Jan 27 16:01:11 hpdw0001 crond[21958]: pam_unix(crond:session): session
> closed for user root
> Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
> failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
> Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
> success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
> Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_unix(gdm:session): session
> opened for user nxp21358 by (uid=0)
> Jan 27 16:01:50 hpdw0001 su: pam_unix(su-l:auth): authentication
> failure; logname=nxp21358 uid=3396 euid=0 tty=pts/8 ruser=nxp21358
> rhost= user=root
> Jan 27 16:01:56 hpdw0001 su: pam_unix(su-l:session): session opened for
> user root by nxp21358(uid=3396)
>
> I'm not a PAM expert, but what I get from this, is that the pam_succeed
> module triggers a fail because pam_unix cannot find the user. How can I
> solve this ??

I think you probably want pam_succeed_if to be above pam_sss in your PAM
stack. Here's what mine looks like:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1BiwcACgkQeiVVYja6o6NuTwCePD6TfWA0/491XYipAeSR51ak
TVEAn2TBnxXZWXVKEafWAou+KgbR/eZe
=FoQ0
-----END PGP SIGNATURE-----