On Fri, Aug 18, 2017 at 5:03 PM, Lukas Slebodnik <lslebodn@redhat.com> wrote:

On (18/08/17 15:37), Louis Garcia wrote:
>On Fri, Aug 18, 2017 at 12:54 PM, Louis Garcia <louisgtwo@gmail.com> wrote:
>
>> On Fri, Aug 18, 2017 at 12:24 PM, Louis Garcia <louisgtwo@gmail.com>
>> wrote:
>>
>>> On Fri, Aug 18, 2017 at 11:58 AM, Louis Garcia <louisgtwo@gmail.com>
>>> wrote:
>>>
>>>> On Fri, Aug 18, 2017 at 4:08 AM, Jakub Hrozek <jhrozek@redhat.com>
>>>> wrote:
>>>>
>>>>> On Fri, Aug 18, 2017 at 08:42:34AM +0200, Lukas Slebodnik wrote:
>>>>> > On (17/08/17 12:38), Louis Garcia wrote:
>>>>> > >Sorry to mail you directly but I think the sssd user mailing list is
>>>>> not
>>>>> > >accepting my emails. I replied twice to this thread yesterday and
>>>>> both
>>>>> > >bounced.
>>>>> > >
>>>>> >
>>>>>
>>>>> > I have no idea why you have problems to send a mails there.
>>>>>
>>>>> Sorry, this is partially my fault. I should be watching the moderation
>>>>> queue, but lately we've been getting so much spam (sometimes one spam
>>>>> attempt per hour) that I overlooked your e-mail.
>>>>>
>>>>> You can subscribe to the list and then your messages will go right to
>>>>> the list w/o the moderation queue!
>>>>>
>>>>
>>>> sssd-users-request@lists.fedorahosted.org
>>>> Aug 15 (3 days ago)
>>>>
>>>>
>>>> to me
>>>> Welcome to the "sssd-users" mailing list!
>>>>
>>>
>>> I subscribed here: https://lists.fedorahosted.org
>>> /admin/lists/sssd-users.lists.fedorahosted.org/ and I receive all emails
>>> from the list but I don't have a user account.
>>> How do I properly subscribe?
>>>
>>>
>> I test by login out of gnome and login back in. After I open a terminal
>> and run klist
>>
>> klist: Credentials cache keyring 'persistent:1000:1000' not found
>>
>> Then I need to kinit and if I klist again
>>
>> Ticket cache: KEYRING:persistent:1000:1000
>> Default principal: louisgtwo@MONTCLAIRE.LOCAL
>>
>> Valid starting Expires Service principal
>> 08/18/2017 12:33:50 08/19/2017 12:33:33 krbtgt/MONTCLAIRE.LOCAL@
>> MONTCLAIRE.LOCAL
>>
>>
>> after that I can ssh and mount nfs4 krb5p. I want to receive my ticket
>> when I login.
>>
>> I am not sure how to search journald. I used 'journalctl -u pam' with no
>> effect
>>
IMHO the simplest would be following command.
journalctl --since=-30min | grep pam_

>> #cat /etc/pam.d/system-auth
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required pam_env.so
>> auth required pam_faildelay.so delay=2000000
>> auth sufficient pam_fprintd.so
>> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >=
>> 1000 quiet
>> auth [default=1 ignore=ignore success=ok] pam_localuser.so
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
>> auth sufficient pam_sss.so forward_pass
>> auth required pam_deny.so
>>
>> account required pam_unix.so
>> account sufficient pam_localuser.so
>> account sufficient pam_succeed_if.so uid < 1000 quiet
>> account [default=bad success=ok user_unknown=ignore] pam_sss.so
>> account required pam_permit.so
>>
>> password requisite pam_pwquality.so try_first_pass local_users_only
>> retry=3 authtok_type=
>> password sufficient pam_unix.so sha512 shadow nullok try_first_pass
>> use_authtok
>> password sufficient pam_sss.so use_authtok
>> password required pam_deny.so
>>
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> -session optional pam_systemd.so
>> session [success=1 default=ignore] pam_succeed_if.so service in crond
>> quiet use_uid
>> session required pam_unix.so
>> session optional pam_sss.so
>>
>> # cat /etc/pam.d/password-auth
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required pam_env.so
>> auth required pam_faildelay.so delay=2000000
>> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >=
>> 1000 quiet
>> auth [default=1 ignore=ignore success=ok] pam_localuser.so
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
>> auth sufficient pam_sss.so forward_pass
>> auth required pam_deny.so
>>
>> account required pam_unix.so
>> account sufficient pam_localuser.so
>> account sufficient pam_succeed_if.so uid < 1000 quiet
>> account [default=bad success=ok user_unknown=ignore] pam_sss.so
>> account required pam_permit.so
>>
>> password requisite pam_pwquality.so try_first_pass local_users_only
>> retry=3 authtok_type=
>> password sufficient pam_unix.so sha512 shadow nullok try_first_pass
>> use_authtok
>> password sufficient pam_sss.so use_authtok
>> password required pam_deny.so
>>
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> -session optional pam_systemd.so
>> session [success=1 default=ignore] pam_succeed_if.so service in crond
>> quiet use_uid
>> session required pam_unix.so
>> session optional pam_sss.so
>>
>>
>do I need to login to gdm with my domain realm? louisgtwo@montclaire.local
>??

It should not be related to your issue. But realm is usually uppercase.

uppercase doesn't work either.

You use id_provider files + auth_provider krb5.

If I remove id_provider files and auth_provider krb5 is not working I will be locked out?

If I switch the domains will sssd search krb5 first?

[domain/files]

auth_provider = krb5

id_provider = files

I assume that local user still have a local password.
Is local password(in /etc/shadow) the same as you have for kerberos(passed to
kinit)?

I have a local user/passwd that is the same for kerberos, this is how I login now. I believe their is a bug for this.

https://bugzilla.redhat.com/show_bug.cgi?id=1429843

If I delete the passwd from the local box my account will not show up in gdm login screen.

Yes I have tried this and could not login going through 'not listed?'. I would rather get sssd working before I remove the local account.

BTW if you still have local password then you will be able to login
with both passwords. But only logging with krb5 password will obtain ticket for
you. otherwise pam_unix will be used an not pam_sss.

If you have root password then you can delete local password with
passwd --delete $local_user.
So you will not use local password by mistake for login.

LS
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org

#journalctl --since=-30min | grep pam_
Aug 18 18:32:34 kitten.montclaire.local gdm-password][5376]: pam_unix(gdm-password:session): session closed for user louisgtwo
Aug 18 18:32:34 kitten.montclaire.local audit[5376]: USER_END pid=5376 uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss,pam_gnome_keyring acct="louisgtwo" exe="/usr/libexec/gdm-session-worker" hostname=kitten.montclaire.local addr=? terminal=/dev/tty2 res=success'
Aug 18 18:32:34 kitten.montclaire.local audit[5376]: CRED_DISP pid=5376 uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix,pam_gnome_keyring acct="louisgtwo" exe="/usr/libexec/gdm-session-worker" hostname=kitten.montclaire.local addr=? terminal=/dev/tty2 res=success'
Aug 18 18:33:14 kitten.montclaire.local gdm-password][8494]: pam_unix(gdm-password:auth): check pass; user unknown
Aug 18 18:33:14 kitten.montclaire.local gdm-password][8494]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Aug 18 18:33:27 kitten.montclaire.local gdm-password][8501]: pam_unix(gdm-password:auth): check pass; user unknown
Aug 18 18:33:27 kitten.montclaire.local gdm-password][8501]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Aug 18 18:33:39 kitten.montclaire.local audit[8505]: USER_AUTH pid=8505 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_localuser,pam_unix,pam_gnome_keyring acct="louisgtwo" exe="/usr/libexec/gdm-session-worker" hostname=kitten.montclaire.local addr=? terminal=/dev/tty1 res=success'
Aug 18 18:33:39 kitten.montclaire.local audit[8505]: USER_ACCT pid=8505 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="louisgtwo" exe="/usr/libexec/gdm-session-worker" hostname=kitten.montclaire.local addr=? terminal=/dev/tty1 res=success'
Aug 18 18:33:39 kitten.montclaire.local audit[8505]: CRED_ACQ pid=8505 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix,pam_gnome_keyring acct="louisgtwo" exe="/usr/libexec/gdm-session-worker" hostname=kitten.montclaire.local addr=? terminal=/dev/tty1 res=success'
Aug 18 18:33:39 kitten.montclaire.local audit[8512]: USER_ACCT pid=8512 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="louisgtwo" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 18 18:33:39 kitten.montclaire.local systemd[8512]: pam_unix(systemd-user:session): session opened for user louisgtwo by (uid=0)
Aug 18 18:33:39 kitten.montclaire.local audit[8512]: USER_START pid=8512 uid=0 auid=1000 ses=7 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss acct="louisgtwo" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 18 18:33:40 kitten.montclaire.local gdm-password][8505]: pam_unix(gdm-password:session): session opened for user louisgtwo by louisgtwo(uid=0)
Aug 18 18:33:40 kitten.montclaire.local audit[8505]: USER_START pid=8505 uid=0 auid=1000 ses=6 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss,pam_gnome_keyring acct="louisgtwo" exe="/usr/libexec/gdm-session-worker" hostname=kitten.montclaire.local addr=? terminal=/dev/tty2 res=success'
Aug 18 18:34:21 kitten.montclaire.local audit[9330]: USER_AUTH pid=9330 uid=1000 auid=1000 ses=7 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="root" exe="/usr/bin/su" hostname=kitten.montclaire.local addr=? terminal=pts/0 res=success'
Aug 18 18:34:21 kitten.montclaire.local audit[9330]: USER_ACCT pid=9330 uid=1000 auid=1000 ses=7 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/su" hostname=kitten.montclaire.local addr=? terminal=pts/0 res=success'
Aug 18 18:34:21 kitten.montclaire.local audit[9330]: CRED_ACQ pid=9330 uid=1000 auid=1000 ses=7 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/su" hostname=kitten.montclaire.local addr=? terminal=pts/0 res=success'
Aug 18 18:34:21 kitten.montclaire.local su[9330]: pam_systemd(su:session): Cannot create session: Already occupied by a session
Aug 18 18:34:21 kitten.montclaire.local su[9330]: pam_unix(su:session): session opened for user root by (uid=1000)
Aug 18 18:34:21 kitten.montclaire.local audit[9330]: USER_START pid=9330 uid=1000 auid=1000 ses=7 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/su" hostname=kitten.montclaire.local addr=? terminal=pts/0 res=success'