Re: [SSSD-users] sssd-users Digest, Vol 18, Issue 25

Send sssd-users mailing list submissions to sssd-users(a)lists.fedorahosted.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.fedorahosted.org/mailman/listinfo/sssd-users or, via email, send a message with subject or body 'help' to sssd-users-request(a)lists.fedorahosted.org You can reach the person managing the list at sssd-users-owner(a)lists.fedorahosted.org When replying, please edit your Subject line so it is more specific than "Re: Contents of sssd-users digest..." Today's Topics: 1. GDM login (Roberts Klotiņš) 2. Re: GDM login (Jakub Hrozek) ---------------------------------------------------------------------- Message: 1 Date: Thu, 24 Oct 2013 09:59:50 +0100 From: Roberts Klotiņš <roberts.klotins(a)gmail.com&gt; To: sssd-users(a)lists.fedorahosted.org Subject: [SSSD-users] GDM login Message-ID: < CALr2nHs9s41VbMVECCLrUQx1mfJYgsQFcLAxzT-0QzudHuaW8g(a)mail.gmail.com&gt; Content-Type: text/plain; charset="utf-8" Hello, After 2 days of reading on Samba4 SSSD and AD login I am running into problems. I have set up - AD server with Samba 4.2 (CentOS 6.3) - domain PEOPLE.LOCAL - Fedora 19 machine - Windows XP machine joined the domain without problems, I can run dsa.msc successfully I want to achieve AD user login from gdm. I understand that I should create used with dsa.msc and then I don't know if I should add it through Fedora 19 user control panel. I tried it anyhow (was useful in debugging) but changes do not persist. I set up sssd (ver 1.11.1) it seems alright with AD options: - id and getent work for passwords and groups In my sssd.conf I have specified domain as [domain\PEOPLE] as all the correct server addresses etc are given there and it is easier to refer to the domain just by one name. sssd loads fine, getent passwd 'PEOPLE\user' works - realm discover gives this result realm discover --verbose PEOPLE.LOCAL * Resolving: _ldap._tcp.people.local * Performing LDAP DSE lookup on: 192.168.1.74 ! Received invalid or unsupported Netlogon data from server people.local type: kerberos realm-name: PEOPLE.LOCAL domain-name: people.local configured: no I can add previously defined domain user via Settings - User : Enterprise with correct username and password, however this does not persist - if I close the user admin panel and then re-open it, the added user is gone. If I try to log on from GDM (user not listed so I use PEOPLE\user) I get authentication failure /var/log/secure gives these messages: date:00:19 host gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= user=PEOPLE\usr1 date:00:19 host gdm-password]: pam_sss(gdm-password:auth): authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= user=PEOPLE\usr1 date:00:19 host gdm-password]: pam_sss(gdm-password:auth): received for user PEOPLE\usr1: 6 (Permission denied) date:00:48 host gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= user=PEOPLE\usr1 date:00:48 host gdm-password]: pam_sss(gdm-password:auth): authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= user=PEOPLE\usr1 date:00:48 host gdm-password]: pam_sss(gdm-password:auth): received for user PEOPLE\usr1: 6 (Permission denied) date:01:40 host gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= user=PEOPLE\usr2 date:01:40 host gdm-password]: pam_sss(gdm-password:auth): authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= user=PEOPLE\usr2 date:01:40 host gdm-password]: pam_sss(gdm-password:auth): received for user PEOPLE\usr2: 6 (Permission denied) date:01:46 host gdm-password]: pam_unix(gdm-password:auth): conversation failed date:01:46 host gdm-password]: pam_unix(gdm-password:auth): auth could not identify password for [PEOPLE\usr2] date:01:46 host gdm-password]: pam_sss(gdm-password:auth): authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= user=PEOPLE\usr2 date:01:46 host gdm-password]: pam_sss(gdm-password:auth): received for user PEOPLE\usr2: 7 (Authentication failure) date:01:46 host gdm-password]: gkr-pam: no password is available for user Could someone point me in the right direction as to what is wrong with my setup. I have sorted some problems out by myself, but here I feel out of depth. Many thanks, Roberts -------------- next part -------------- An HTML attachment was scrubbed... URL: < https://lists.fedorahosted.org/pipermail/sssd-users/attachments/20131024/... > ------------------------------ Message: 2 Date: Thu, 24 Oct 2013 12:01:11 +0200 From: Jakub Hrozek <jhrozek(a)redhat.com&gt; To: sssd-users(a)lists.fedorahosted.org Subject: Re: [SSSD-users] GDM login Message-ID: <20131024100111.GD4240(a)hendrix.redhat.com&gt; Content-Type: text/plain; charset=utf-8 On Thu, Oct 24, 2013 at 09:59:50AM +0100, Roberts Klotiņš wrote: > Hello, > > After 2 days of reading on Samba4 SSSD and AD login I am running into > problems. I have set up > - AD server with Samba 4.2 (CentOS 6.3) - domain PEOPLE.LOCAL > - Fedora 19 machine > - Windows XP machine joined the domain without problems, I can run > dsa.msc successfully > > I want to achieve AD user login from gdm. I understand that I should create > used with dsa.msc and then I don't know if I should add it through Fedora > 19 user control panel. I tried it anyhow (was useful in debugging) but > changes do not persist. > > I set up sssd (ver 1.11.1) it seems alright with AD options: > - id and getent work for passwords and groups > > In my sssd.conf I have specified domain as [domain\PEOPLE] > as all the correct server addresses etc are given there and it is easier to > refer to the domain just by one name. > sssd loads fine, getent passwd 'PEOPLE\user' works > > - realm discover gives this result > realm discover --verbose PEOPLE.LOCAL > * Resolving: _ldap._tcp.people.local > * Performing LDAP DSE lookup on: 192.168.1.74 > ! Received invalid or unsupported Netlogon data from server > people.local ^^^ This is a Samba bug. I've seen it reported by another user, but I'm not sure if it's reported to Samba upstream. > type: kerberos > realm-name: PEOPLE.LOCAL > domain-name: people.local > configured: no > > I can add previously defined domain user via Settings - User : Enterprise > with correct username and password, however this does not persist - if I > close the user admin panel and then re-open it, the added user is gone. This sounds like Enterprise Logins bug, but let's resolve the Permission Denied first. > > If I try to log on from GDM (user not listed so I use PEOPLE\user) I get > authentication failure > /var/log/secure gives these messages: > > date:00:19 host gdm-password]: pam_unix(gdm-password:auth): authentication > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= > user=PEOPLE\usr1 > date:00:19 host gdm-password]: pam_sss(gdm-password:auth): authentication > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= > user=PEOPLE\usr1 > date:00:19 host gdm-password]: pam_sss(gdm-password:auth): received for > user PEOPLE\usr1: 6 (Permission denied) > date:00:48 host gdm-password]: pam_unix(gdm-password:auth): authentication > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= > user=PEOPLE\usr1 > date:00:48 host gdm-password]: pam_sss(gdm-password:auth): authentication > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= > user=PEOPLE\usr1 > date:00:48 host gdm-password]: pam_sss(gdm-password:auth): received for > user PEOPLE\usr1: 6 (Permission denied) > date:01:40 host gdm-password]: pam_unix(gdm-password:auth): authentication > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= > user=PEOPLE\usr2 > date:01:40 host gdm-password]: pam_sss(gdm-password:auth): authentication > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= > user=PEOPLE\usr2 > date:01:40 host gdm-password]: pam_sss(gdm-password:auth): received for > user PEOPLE\usr2: 6 (Permission denied) > date:01:46 host gdm-password]: pam_unix(gdm-password:auth): conversation > failed > date:01:46 host gdm-password]: pam_unix(gdm-password:auth): auth could not > identify password for [PEOPLE\usr2] > date:01:46 host gdm-password]: pam_sss(gdm-password:auth): authentication > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= > user=PEOPLE\usr2 > date:01:46 host gdm-password]: pam_sss(gdm-password:auth): received for > user PEOPLE\usr2: 7 (Authentication failure) > date:01:46 host gdm-password]: gkr-pam: no password is available for user > > Could someone point me in the right direction as to what is wrong with my > setup. I have sorted some problems out by myself, but here I feel out of > depth. > > Many thanks, > > Roberts Can you attach your sssd.conf? I suspect that realmd/enterprise logins set up the simple access provider and the user is not included in the ------------------------------ _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users End of sssd-users Digest, Vol 18, Issue 25 ******************************************