On Thu, Oct 24, 2013 at 09:59:50AM +0100, Roberts Klotiņš wrote:
Hello,
After 2 days of reading on Samba4 SSSD and AD login I am running into
problems. I have set up
- AD server with Samba 4.2 (CentOS 6.3) - domain PEOPLE.LOCAL
- Fedora 19 machine
- Windows XP machine joined the domain without problems, I can run
dsa.msc successfully
I want to achieve AD user login from gdm. I understand that I should create
used with dsa.msc and then I don't know if I should add it through Fedora
19 user control panel. I tried it anyhow (was useful in debugging) but
changes do not persist.
I set up sssd (ver 1.11.1) it seems alright with AD options:
- id and getent work for passwords and groups
In my sssd.conf I have specified domain as [domain\PEOPLE]
as all the correct server addresses etc are given there and it is easier to
refer to the domain just by one name.
sssd loads fine, getent passwd 'PEOPLE\user' works
- realm discover gives this result
realm discover --verbose PEOPLE.LOCAL
* Resolving: _ldap._tcp.people.local
* Performing LDAP DSE lookup on: 192.168.1.74
! Received invalid or unsupported Netlogon data from server
people.local
^^^ This is a Samba bug. I've seen it reported by another user, but I'm
not sure if it's reported to Samba upstream.
type: kerberos
realm-name: PEOPLE.LOCAL
domain-name: people.local
configured: no
I can add previously defined domain user via Settings - User : Enterprise
with correct username and password, however this does not persist - if I
close the user admin panel and then re-open it, the added user is gone.
This sounds like Enterprise Logins bug, but let's resolve the Permission
Denied first.
If I try to log on from GDM (user not listed so I use PEOPLE\user) I get
authentication failure
/var/log/secure gives these messages:
date:00:19 host gdm-password]: pam_unix(gdm-password:auth): authentication
failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
user=PEOPLE\usr1
date:00:19 host gdm-password]: pam_sss(gdm-password:auth): authentication
failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
user=PEOPLE\usr1
date:00:19 host gdm-password]: pam_sss(gdm-password:auth): received for
user PEOPLE\usr1: 6 (Permission denied)
date:00:48 host gdm-password]: pam_unix(gdm-password:auth): authentication
failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
user=PEOPLE\usr1
date:00:48 host gdm-password]: pam_sss(gdm-password:auth): authentication
failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
user=PEOPLE\usr1
date:00:48 host gdm-password]: pam_sss(gdm-password:auth): received for
user PEOPLE\usr1: 6 (Permission denied)
date:01:40 host gdm-password]: pam_unix(gdm-password:auth): authentication
failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
user=PEOPLE\usr2
date:01:40 host gdm-password]: pam_sss(gdm-password:auth): authentication
failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
user=PEOPLE\usr2
date:01:40 host gdm-password]: pam_sss(gdm-password:auth): received for
user PEOPLE\usr2: 6 (Permission denied)
date:01:46 host gdm-password]: pam_unix(gdm-password:auth): conversation
failed
date:01:46 host gdm-password]: pam_unix(gdm-password:auth): auth could not
identify password for [PEOPLE\usr2]
date:01:46 host gdm-password]: pam_sss(gdm-password:auth): authentication
failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
user=PEOPLE\usr2
date:01:46 host gdm-password]: pam_sss(gdm-password:auth): received for
user PEOPLE\usr2: 7 (Authentication failure)
date:01:46 host gdm-password]: gkr-pam: no password is available for user
Could someone point me in the right direction as to what is wrong with my
setup. I have sorted some problems out by myself, but here I feel out of
depth.
Many thanks,
Roberts
Can you attach your sssd.conf? I suspect that realmd/enterprise logins
set up the simple access provider and the user is not included in the