Hi Thanks a lot for looking into this.
As you suspected - there is something that enterprise simple login added
into the config file file:
[sssd]
services = nss, pam
config_file_version = 2
domains = PEOPLE
[nss]
filter_users = root
filter_groups = root
[pam]
[domain/PEOPLE]
description = PEOPLE AD domain
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ad_server = srv1.people.local
ad_hostname = client1.people.local
ad_domain = PEOPLE.LOCAL
case_sensitive = false
enumerate = true
cache_credentials = true
simple_allow_users = usr1, usr2
However when I deleted the last line in this file I got the same result.
/var/log/secure
datet:42:54 robbie gdm-password]: pam_unix(gdm-password:auth):
authentication failure; logname=(unknown) uid=0 euid=0 tty=:1 ruser
= rhost= user=PEOPLE\usr2
datet:42:54 robbie gdm-password]: pam_sss(gdm-password:auth):
authentication failure; logname=(unknown) uid=0 euid=0 tty=:1 ruser=
rhost= user=PEOPLE\usr2
datet:42:54 robbie gdm-password]: pam_sss(gdm-password:auth): received for
user PEOPLE\usr2: 6 (Permission denied)
datet:42:59 robbie gdm-password]: pam_unix(gdm-password:auth): conversation
failed
datet:42:59 robbie gdm-password]: pam_unix(gdm-password:auth): auth could
not identify password for [PEOPLE\usr2]
datet:42:59 robbie gdm-password]: pam_sss(gdm-password:auth):
authentication failure; logname=(unknown) uid=0 euid=0 tty=:1 ruser=
rhost= user=PEOPLE\usr2
datet:42:59 robbie gdm-password]: pam_sss(gdm-password:auth): received for
user PEOPLE\usr2: 7 (Authentication failure)
It appears I may need to configure something in pam, but maybe that is not
the case??
Your help is much appreciated.
Roberts
On 24 October 2013 13:00, <sssd-users-request(a)lists.fedorahosted.org> wrote:
Send sssd-users mailing list submissions to
sssd-users(a)lists.fedorahosted.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
or, via email, send a message with subject or body 'help' to
sssd-users-request(a)lists.fedorahosted.org
You can reach the person managing the list at
sssd-users-owner(a)lists.fedorahosted.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of sssd-users digest..."
Today's Topics:
1. GDM login (Roberts Klotiņš)
2. Re: GDM login (Jakub Hrozek)
----------------------------------------------------------------------
Message: 1
Date: Thu, 24 Oct 2013 09:59:50 +0100
From: Roberts Klotiņš <roberts.klotins(a)gmail.com>
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] GDM login
Message-ID:
<
CALr2nHs9s41VbMVECCLrUQx1mfJYgsQFcLAxzT-0QzudHuaW8g(a)mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hello,
After 2 days of reading on Samba4 SSSD and AD login I am running into
problems. I have set up
- AD server with Samba 4.2 (CentOS 6.3) - domain PEOPLE.LOCAL
- Fedora 19 machine
- Windows XP machine joined the domain without problems, I can run
dsa.msc successfully
I want to achieve AD user login from gdm. I understand that I should create
used with dsa.msc and then I don't know if I should add it through Fedora
19 user control panel. I tried it anyhow (was useful in debugging) but
changes do not persist.
I set up sssd (ver 1.11.1) it seems alright with AD options:
- id and getent work for passwords and groups
In my sssd.conf I have specified domain as [domain\PEOPLE]
as all the correct server addresses etc are given there and it is easier to
refer to the domain just by one name.
sssd loads fine, getent passwd 'PEOPLE\user' works
- realm discover gives this result
realm discover --verbose PEOPLE.LOCAL
* Resolving: _ldap._tcp.people.local
* Performing LDAP DSE lookup on: 192.168.1.74
! Received invalid or unsupported Netlogon data from server
people.local
type: kerberos
realm-name: PEOPLE.LOCAL
domain-name: people.local
configured: no
I can add previously defined domain user via Settings - User : Enterprise
with correct username and password, however this does not persist - if I
close the user admin panel and then re-open it, the added user is gone.
If I try to log on from GDM (user not listed so I use PEOPLE\user) I get
authentication failure
/var/log/secure gives these messages:
date:00:19 host gdm-password]: pam_unix(gdm-password:auth): authentication
failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
user=PEOPLE\usr1
date:00:19 host gdm-password]: pam_sss(gdm-password:auth): authentication
failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
user=PEOPLE\usr1
date:00:19 host gdm-password]: pam_sss(gdm-password:auth): received for
user PEOPLE\usr1: 6 (Permission denied)
date:00:48 host gdm-password]: pam_unix(gdm-password:auth): authentication
failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
user=PEOPLE\usr1
date:00:48 host gdm-password]: pam_sss(gdm-password:auth): authentication
failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
user=PEOPLE\usr1
date:00:48 host gdm-password]: pam_sss(gdm-password:auth): received for
user PEOPLE\usr1: 6 (Permission denied)
date:01:40 host gdm-password]: pam_unix(gdm-password:auth): authentication
failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
user=PEOPLE\usr2
date:01:40 host gdm-password]: pam_sss(gdm-password:auth): authentication
failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
user=PEOPLE\usr2
date:01:40 host gdm-password]: pam_sss(gdm-password:auth): received for
user PEOPLE\usr2: 6 (Permission denied)
date:01:46 host gdm-password]: pam_unix(gdm-password:auth): conversation
failed
date:01:46 host gdm-password]: pam_unix(gdm-password:auth): auth could not
identify password for [PEOPLE\usr2]
date:01:46 host gdm-password]: pam_sss(gdm-password:auth): authentication
failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
user=PEOPLE\usr2
date:01:46 host gdm-password]: pam_sss(gdm-password:auth): received for
user PEOPLE\usr2: 7 (Authentication failure)
date:01:46 host gdm-password]: gkr-pam: no password is available for user
Could someone point me in the right direction as to what is wrong with my
setup. I have sorted some problems out by myself, but here I feel out of
depth.
Many thanks,
Roberts
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
https://lists.fedorahosted.org/pipermail/sssd-users/attachments/20131024/...
>
------------------------------
Message: 2
Date: Thu, 24 Oct 2013 12:01:11 +0200
From: Jakub Hrozek <jhrozek(a)redhat.com>
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] GDM login
Message-ID: <20131024100111.GD4240(a)hendrix.redhat.com>
Content-Type: text/plain; charset=utf-8
On Thu, Oct 24, 2013 at 09:59:50AM +0100, Roberts Klotiņš wrote:
> Hello,
>
> After 2 days of reading on Samba4 SSSD and AD login I am running into
> problems. I have set up
> - AD server with Samba 4.2 (CentOS 6.3) - domain PEOPLE.LOCAL
> - Fedora 19 machine
> - Windows XP machine joined the domain without problems, I can run
> dsa.msc successfully
>
> I want to achieve AD user login from gdm. I understand that I should
create
> used with dsa.msc and then I don't know if I should add it through Fedora
> 19 user control panel. I tried it anyhow (was useful in debugging) but
> changes do not persist.
>
> I set up sssd (ver 1.11.1) it seems alright with AD options:
> - id and getent work for passwords and groups
>
> In my sssd.conf I have specified domain as [domain\PEOPLE]
> as all the correct server addresses etc are given there and it is easier
to
> refer to the domain just by one name.
> sssd loads fine, getent passwd 'PEOPLE\user' works
>
> - realm discover gives this result
> realm discover --verbose PEOPLE.LOCAL
> * Resolving: _ldap._tcp.people.local
> * Performing LDAP DSE lookup on: 192.168.1.74
> ! Received invalid or unsupported Netlogon data from server
> people.local
^^^ This is a Samba bug. I've seen it reported by another user, but I'm
not sure if it's reported to Samba upstream.
> type: kerberos
> realm-name: PEOPLE.LOCAL
> domain-name: people.local
> configured: no
>
> I can add previously defined domain user via Settings - User : Enterprise
> with correct username and password, however this does not persist - if I
> close the user admin panel and then re-open it, the added user is gone.
This sounds like Enterprise Logins bug, but let's resolve the Permission
Denied first.
>
> If I try to log on from GDM (user not listed so I use PEOPLE\user) I get
> authentication failure
> /var/log/secure gives these messages:
>
> date:00:19 host gdm-password]: pam_unix(gdm-password:auth):
authentication
> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> user=PEOPLE\usr1
> date:00:19 host gdm-password]: pam_sss(gdm-password:auth): authentication
> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> user=PEOPLE\usr1
> date:00:19 host gdm-password]: pam_sss(gdm-password:auth): received for
> user PEOPLE\usr1: 6 (Permission denied)
> date:00:48 host gdm-password]: pam_unix(gdm-password:auth):
authentication
> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> user=PEOPLE\usr1
> date:00:48 host gdm-password]: pam_sss(gdm-password:auth): authentication
> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> user=PEOPLE\usr1
> date:00:48 host gdm-password]: pam_sss(gdm-password:auth): received for
> user PEOPLE\usr1: 6 (Permission denied)
> date:01:40 host gdm-password]: pam_unix(gdm-password:auth):
authentication
> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> user=PEOPLE\usr2
> date:01:40 host gdm-password]: pam_sss(gdm-password:auth): authentication
> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> user=PEOPLE\usr2
> date:01:40 host gdm-password]: pam_sss(gdm-password:auth): received for
> user PEOPLE\usr2: 6 (Permission denied)
> date:01:46 host gdm-password]: pam_unix(gdm-password:auth): conversation
> failed
> date:01:46 host gdm-password]: pam_unix(gdm-password:auth): auth could
not
> identify password for [PEOPLE\usr2]
> date:01:46 host gdm-password]: pam_sss(gdm-password:auth): authentication
> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> user=PEOPLE\usr2
> date:01:46 host gdm-password]: pam_sss(gdm-password:auth): received for
> user PEOPLE\usr2: 7 (Authentication failure)
> date:01:46 host gdm-password]: gkr-pam: no password is available for user
>
> Could someone point me in the right direction as to what is wrong with my
> setup. I have sorted some problems out by myself, but here I feel out of
> depth.
>
> Many thanks,
>
> Roberts
Can you attach your sssd.conf? I suspect that realmd/enterprise logins
set up the simple access provider and the user is not included in the
------------------------------
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
End of sssd-users Digest, Vol 18, Issue 25
******************************************