-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/27/2011 10:06 AM, Andy Kannberg wrote:
Hi,
I've got the SSSD packages from RHEL 5.6 installed on a RHEL 5.4 system.
SSSD works fine on the command line and when logging in via KDE. Also
logging on with cached credentials (when network is off) works like a
charm, on the command line.
When I want to login with cached credentials via KDE (network
disabled.), it goes wrong. KDE throws me a new login prompt, saying I
used te wrong userid or password.
When I check the /var/log/secure file, I see the following happens:
Jan 27 15:59:49 hpdw0001 su: pam_unix(su-l:session): session closed for
user root
Jan 27 16:00:01 hpdw0001 crond[21924]: pam_unix(crond:session): session
opened for user root by (uid=0)
Jan 27 16:00:01 hpdw0001 crond[21924]: pam_unix(crond:session): session
closed for user root
Jan 27 16:00:20 hpdw0001 gdm[3744]: pam_unix(gdm:session): session
closed for user nxp21358
Jan 27 16:00:20 hpdw0001 gdm[3744]: pam_console(gdm:session): getpwnam
failed for nxp21358
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
unknown
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info
message: Authenticated with cached credentials.
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
retrieving information about user nxp21358
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
identify user (from getpwnam(nxp21358))
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
unknown
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info
message: Authenticated with cached credentials.
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
retrieving information about user nxp21358
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
identify user (from getpwnam(nxp21358))
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
unknown
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info
message: Authenticated with cached credentials.
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
retrieving information about user nxp21358
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
identify user (from getpwnam(nxp21358))
Jan 27 16:01:01 hpdw0001 crond[21958]: pam_unix(crond:session): session
opened for user root by (uid=0)
Jan 27 16:01:11 hpdw0001 crond[21958]: pam_unix(crond:session): session
closed for user root
Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_unix(gdm:session): session
opened for user nxp21358 by (uid=0)
Jan 27 16:01:50 hpdw0001 su: pam_unix(su-l:auth): authentication
failure; logname=nxp21358 uid=3396 euid=0 tty=pts/8 ruser=nxp21358
rhost= user=root
Jan 27 16:01:56 hpdw0001 su: pam_unix(su-l:session): session opened for
user root by nxp21358(uid=3396)
I'm not a PAM expert, but what I get from this, is that the pam_succeed
module triggers a fail because pam_unix cannot find the user. How can I
solve this ??
I think you probably want pam_succeed_if to be above pam_sss in your PAM
stack. Here's what mine looks like:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk1BiwcACgkQeiVVYja6o6NuTwCePD6TfWA0/491XYipAeSR51ak
TVEAn2TBnxXZWXVKEafWAou+KgbR/eZe
=FoQ0
-----END PGP SIGNATURE-----