9:06 a.m.
Hi,
I've got the SSSD packages from RHEL 5.6 installed on a RHEL 5.4 system.
SSSD works fine on the command line and when logging in via KDE. Also
logging on with cached credentials (when network is off) works like a charm,
on the command line.
When I want to login with cached credentials via KDE (network disabled.), it
goes wrong. KDE throws me a new login prompt, saying I used te wrong userid
or password.
When I check the /var/log/secure file, I see the following happens:
Jan 27 15:59:49 hpdw0001 su: pam_unix(su-l:session): session closed for user
root
Jan 27 16:00:01 hpdw0001 crond[21924]: pam_unix(crond:session): session
opened for user root by (uid=0)
Jan 27 16:00:01 hpdw0001 crond[21924]: pam_unix(crond:session): session
closed for user root
Jan 27 16:00:20 hpdw0001 gdm[3744]: pam_unix(gdm:session): session closed
for user nxp21358
Jan 27 16:00:20 hpdw0001 gdm[3744]: pam_console(gdm:session): getpwnam
failed for nxp21358
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
unknown
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info message:
Authenticated with cached credentials.
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
retrieving information about user nxp21358
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
identify user (from getpwnam(nxp21358))
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
unknown
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info message:
Authenticated with cached credentials.
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
retrieving information about user nxp21358
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
identify user (from getpwnam(nxp21358))
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
unknown
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info message:
Authenticated with cached credentials.
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
retrieving information about user nxp21358
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
identify user (from getpwnam(nxp21358))
Jan 27 16:01:01 hpdw0001 crond[21958]: pam_unix(crond:session): session
opened for user root by (uid=0)
Jan 27 16:01:11 hpdw0001 crond[21958]: pam_unix(crond:session): session
closed for user root
Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_unix(gdm:session): session opened
for user nxp21358 by (uid=0)
Jan 27 16:01:50 hpdw0001 su: pam_unix(su-l:auth): authentication failure;
logname=nxp21358 uid=3396 euid=0 tty=pts/8 ruser=nxp21358 rhost= user=root
Jan 27 16:01:56 hpdw0001 su: pam_unix(su-l:session): session opened for user
root by nxp21358(uid=3396)
I'm not a PAM expert, but what I get from this, is that the pam_succeed
module triggers a fail because pam_unix cannot find the user. How can I
solve this ??
cheers,
Andy
9:11 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/27/2011 10:06 AM, Andy Kannberg wrote:
Hi,
I've got the SSSD packages from RHEL 5.6 installed on a RHEL 5.4 system.
SSSD works fine on the command line and when logging in via KDE. Also
logging on with cached credentials (when network is off) works like a
charm, on the command line.
When I want to login with cached credentials via KDE (network
disabled.), it goes wrong. KDE throws me a new login prompt, saying I
used te wrong userid or password.
When I check the /var/log/secure file, I see the following happens:
Jan 27 15:59:49 hpdw0001 su: pam_unix(su-l:session): session closed for
user root
Jan 27 16:00:01 hpdw0001 crond[21924]: pam_unix(crond:session): session
opened for user root by (uid=0)
Jan 27 16:00:01 hpdw0001 crond[21924]: pam_unix(crond:session): session
closed for user root
Jan 27 16:00:20 hpdw0001 gdm[3744]: pam_unix(gdm:session): session
closed for user nxp21358
Jan 27 16:00:20 hpdw0001 gdm[3744]: pam_console(gdm:session): getpwnam
failed for nxp21358
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
unknown
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info
message: Authenticated with cached credentials.
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
retrieving information about user nxp21358
Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
identify user (from getpwnam(nxp21358))
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
unknown
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info
message: Authenticated with cached credentials.
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
retrieving information about user nxp21358
Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
identify user (from getpwnam(nxp21358))
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
unknown
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info
message: Authenticated with cached credentials.
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
retrieving information about user nxp21358
Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
identify user (from getpwnam(nxp21358))
Jan 27 16:01:01 hpdw0001 crond[21958]: pam_unix(crond:session): session
opened for user root by (uid=0)
Jan 27 16:01:11 hpdw0001 crond[21958]: pam_unix(crond:session): session
closed for user root
Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_unix(gdm:session): session
opened for user nxp21358 by (uid=0)
Jan 27 16:01:50 hpdw0001 su: pam_unix(su-l:auth): authentication
failure; logname=nxp21358 uid=3396 euid=0 tty=pts/8 ruser=nxp21358
rhost= user=root
Jan 27 16:01:56 hpdw0001 su: pam_unix(su-l:session): session opened for
user root by nxp21358(uid=3396)
I'm not a PAM expert, but what I get from this, is that the pam_succeed
module triggers a fail because pam_unix cannot find the user. How can I
solve this ??
I think you probably want pam_succeed_if to be above pam_sss in your PAM
stack. Here's what mine looks like:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1BiwcACgkQeiVVYja6o6NuTwCePD6TfWA0/491XYipAeSR51ak
TVEAn2TBnxXZWXVKEafWAou+KgbR/eZe
=FoQ0
-----END PGP SIGNATURE-----
7:17 a.m.
Stephen,
I've tried to rearrange the system-auth. However, when offline, I still
cannot login with KDE.
the system-auth looks like this:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
account sufficient pam_succeed_if.so uid > 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account sufficient pam_localuser.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid > 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
#account required pam_access.so
accessfile=/etc/security/access.netgroup.conf
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_sss.so use_authtok
password required pam_deny.so
#session required pam_limits.so
session required pam_unix.so
session required pam_keyinit.so revoke
session optional pam_sss.so
cheers,
Andy
2011/1/27 Stephen Gallagher <sgallagh(a)redhat.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/27/2011 10:06 AM, Andy Kannberg wrote:
> Hi,
>
> I've got the SSSD packages from RHEL 5.6 installed on a RHEL 5.4 system.
> SSSD works fine on the command line and when logging in via KDE. Also
> logging on with cached credentials (when network is off) works like a
> charm, on the command line.
> When I want to login with cached credentials via KDE (network
> disabled.), it goes wrong. KDE throws me a new login prompt, saying I
> used te wrong userid or password.
>
> When I check the /var/log/secure file, I see the following happens:
>
>
> Jan 27 15:59:49 hpdw0001 su: pam_unix(su-l:session): session closed for
> user root
> Jan 27 16:00:01 hpdw0001 crond[21924]: pam_unix(crond:session): session
> opened for user root by (uid=0)
> Jan 27 16:00:01 hpdw0001 crond[21924]: pam_unix(crond:session): session
> closed for user root
> Jan 27 16:00:20 hpdw0001 gdm[3744]: pam_unix(gdm:session): session
> closed for user nxp21358
> Jan 27 16:00:20 hpdw0001 gdm[3744]: pam_console(gdm:session): getpwnam
> failed for nxp21358
> Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
> unknown
> Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
> failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
> Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info
> message: Authenticated with cached credentials.
> Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
> success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
> Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
> retrieving information about user nxp21358
> Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
> identify user (from getpwnam(nxp21358))
> Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
> unknown
> Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
> failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
> Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info
> message: Authenticated with cached credentials.
> Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
> success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
> Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
> retrieving information about user nxp21358
> Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
> identify user (from getpwnam(nxp21358))
> Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
> unknown
> Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
> failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
> Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info
> message: Authenticated with cached credentials.
> Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
> success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
> Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error
> retrieving information about user nxp21358
> Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not
> identify user (from getpwnam(nxp21358))
> Jan 27 16:01:01 hpdw0001 crond[21958]: pam_unix(crond:session): session
> opened for user root by (uid=0)
> Jan 27 16:01:11 hpdw0001 crond[21958]: pam_unix(crond:session): session
> closed for user root
> Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
> failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
> Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication
> success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358
> Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_unix(gdm:session): session
> opened for user nxp21358 by (uid=0)
> Jan 27 16:01:50 hpdw0001 su: pam_unix(su-l:auth): authentication
> failure; logname=nxp21358 uid=3396 euid=0 tty=pts/8 ruser=nxp21358
> rhost= user=root
> Jan 27 16:01:56 hpdw0001 su: pam_unix(su-l:session): session opened for
> user root by nxp21358(uid=3396)
>
> I'm not a PAM expert, but what I get from this, is that the pam_succeed
> module triggers a fail because pam_unix cannot find the user. How can I
> solve this ??
I think you probably want pam_succeed_if to be above pam_sss in your PAM
stack. Here's what mine looks like:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1BiwcACgkQeiVVYja6o6NuTwCePD6TfWA0/491XYipAeSR51ak
TVEAn2TBnxXZWXVKEafWAou+KgbR/eZe
=FoQ0
-----END PGP SIGNATURE-----
7:43 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/28/2011 08:17 AM, Andy Kannberg wrote:
Stephen,
I've tried to rearrange the system-auth. However, when offline, I still
cannot login with KDE.
the system-auth looks like this:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
account sufficient pam_succeed_if.so uid > 500 quiet
This line definitely looks out of place here. This should probably be
"auth" not "account, and it's recommended that it be
"requisite" instead
of "sufficient". Also, you probably want >= 500 rather than > 500
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account sufficient pam_localuser.so
account required pam_unix.so broken_shadow
You probably want to reverse
pam_unix and pam_localuser here
account sufficient pam_succeed_if.so uid > 500 quiet
This is backwards. You want system services (<500) to be sufficient
here, not all users > 500.
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
#account required pam_access.so
accessfile=/etc/security/access.netgroup.conf
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_sss.so use_authtok
password required pam_deny.so
#session required pam_limits.so
session required pam_unix.so
session required pam_keyinit.so revoke
session optional pam_sss.so
Give that a try.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1Cx/YACgkQeiVVYja6o6OUUwCfbFWBEInxSt/UHQfagKs5Iwyb
wGEAoJ8/txMCI/fBNliHxhgdoJxFp7OD
=2kN+
-----END PGP SIGNATURE-----
8:23 a.m.
Hi Stephen,
errors are getting fewer, but still the same problem:
Jan 28 15:09:45 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
unknown
Jan 28 15:09:45 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Jan 28 15:09:45 hpdw0001 gdm[3744]: pam_succeed_if(gdm:auth): error
retrieving information about user nxp21358
system-auth now looks like :
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
#account required pam_access.so
accessfile=/etc/security/access.netgroup.conf
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_sss.so use_authtok
password required pam_deny.so
#session required pam_limits.so
session required pam_unix.so
session required pam_keyinit.so revoke
session optional pam_sss.so
cheers,
Andy
2011/1/28 Stephen Gallagher <sgallagh(a)redhat.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/28/2011 08:17 AM, Andy Kannberg wrote:
> Stephen,
>
> I've tried to rearrange the system-auth. However, when offline, I still
> cannot login with KDE.
> the system-auth looks like this:
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so likeauth nullok
> account sufficient pam_succeed_if.so uid > 500 quiet
This line definitely looks out of place here. This should probably be
"auth" not "account, and it's recommended that it be
"requisite" instead
of "sufficient". Also, you probably want >= 500 rather than > 500
> auth sufficient pam_sss.so use_first_pass
> auth required pam_deny.so
>
> account sufficient pam_localuser.so
> account required pam_unix.so broken_shadow
You probably want to reverse pam_unix and pam_localuser here
> account sufficient pam_succeed_if.so uid > 500 quiet
This is backwards. You want system services (<500) to be sufficient
here, not all users > 500.
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
> #account required pam_access.so
> accessfile=/etc/security/access.netgroup.conf
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so nullok use_authtok md5 shadow
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
>
> #session required pam_limits.so
> session required pam_unix.so
> session required pam_keyinit.so revoke
> session optional pam_sss.so
Give that a try.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1Cx/YACgkQeiVVYja6o6OUUwCfbFWBEInxSt/UHQfagKs5Iwyb
wGEAoJ8/txMCI/fBNliHxhgdoJxFp7OD
=2kN+
-----END PGP SIGNATURE-----
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
9:11 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/28/2011 09:23 AM, Andy Kannberg wrote:
Hi Stephen,
errors are getting fewer, but still the same problem:
Jan 28 15:09:45 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user
unknown
Jan 28 15:09:45 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Jan 28 15:09:45 hpdw0001 gdm[3744]: pam_succeed_if(gdm:auth): error
retrieving information about user nxp21358
system-auth now looks like :
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
#account required pam_access.so
accessfile=/etc/security/access.netgroup.conf
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_sss.so use_authtok
password required pam_deny.so
#session required pam_limits.so
session required pam_unix.so
session required pam_keyinit.so revoke
session optional pam_sss.so
Sorry, I didn't realize before that you were using gdm, not kdm. GDM
also requires that you make the same changes you made to system-auth
into password-auth. (It's a long story, but it has to do with GDM's
parallel PAM stack solution to multiple authentication methods)
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1C3KcACgkQeiVVYja6o6PEygCeP06ucGluHktONkl0x/tDmge3
ozAAn0/amqV84rSqla/if+iEYpA2AEVn
=/Ccf
-----END PGP SIGNATURE-----
4835
days inactive
4836
days old
sssd-devel@lists.fedorahosted.org
5 comments
2 participants
participants (2)
-
Andy Kannberg -
Stephen Gallagher