Re: [SSSD] Problem with authentication via KDE

Thursday, 27 January 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/27/2011 10:06 AM, Andy Kannberg wrote:
...
 Hi,

 I've got the SSSD packages from RHEL 5.6 installed on a RHEL 5.4 system.
 SSSD works fine on the command line and when logging in via KDE.  Also
 logging on with cached credentials (when network is off) works like a
 charm, on the command line.
 When I want to login with cached credentials via KDE (network
 disabled.), it goes wrong. KDE throws me a new login prompt, saying I
 used te wrong userid or password.

 When I check the /var/log/secure file, I see the following happens:

 Jan 27 15:59:49 hpdw0001 su: pam_unix(su-l:session): session closed for
 user root
 Jan 27 16:00:01 hpdw0001 crond[21924]: pam_unix(crond:session): session
 opened for user root by (uid=0)
 Jan 27 16:00:01 hpdw0001 crond[21924]: pam_unix(crond:session): session
 closed for user root
 Jan 27 16:00:20 hpdw0001 gdm[3744]: pam_unix(gdm:session): session
 closed for user nxp21358
 Jan 27 16:00:20 hpdw0001 gdm[3744]: pam_console(gdm:session): getpwnam
 failed for nxp21358
 Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
 unknown
 Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
 failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
 Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info
 message: Authenticated with cached credentials.
 Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
 success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
 Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
 retrieving information about user nxp21358
 Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
 identify user (from getpwnam(nxp21358))
 Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
 unknown
 Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
 failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
 Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info
 message: Authenticated with cached credentials.
 Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
 success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
 Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
 retrieving information about user nxp21358
 Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
 identify user (from getpwnam(nxp21358))
 Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
 unknown
 Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
 failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
 Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info
 message: Authenticated with cached credentials.
 Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
 success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
 Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
 retrieving information about user nxp21358
 Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
 identify user (from getpwnam(nxp21358))
 Jan 27 16:01:01 hpdw0001 crond[21958]: pam_unix(crond:session): session
 opened for user root by (uid=0)
 Jan 27 16:01:11 hpdw0001 crond[21958]: pam_unix(crond:session): session
 closed for user root
 Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
 failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=nxp21358
 Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
 success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
 Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_unix(gdm:session): session
 opened for user nxp21358 by (uid=0)
 Jan 27 16:01:50 hpdw0001 su: pam_unix(su-l:auth): authentication
 failure; logname=nxp21358 uid=3396 euid=0 tty=pts/8 ruser=nxp21358
 rhost=  user=root
 Jan 27 16:01:56 hpdw0001 su: pam_unix(su-l:session): session opened for
 user root by nxp21358(uid=3396)

 I'm not a PAM expert, but what I get from this, is that the pam_succeed
 module triggers a fail because pam_unix cannot find the user. How can I
 solve this ?? 
I think you probably want pam_succeed_if to be above pam_sss in your PAM
stack. Here's what mine looks like:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass type=
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
...PGP SIGNATURE...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1BiwcACgkQeiVVYja6o6NuTwCePD6TfWA0/491XYipAeSR51ak
TVEAn2TBnxXZWXVKEafWAou+KgbR/eZe
=FoQ0
-----END PGP SIGNATURE----- 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Re: [SSSD] Problem with authentication via KDE