Sorry to trouble again with this. but I thought it might be relevant to
look through pam modules;
I found sss present as per system installation; I have not modified the file
# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass retry=3
authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
And GDM password config file includes the above:
# cat /etc/pam.d/gdm-password
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth substack password-auth
auth optional pam_gnome_keyring.so
auth include postlogin
account required pam_nologin.so
account include password-auth
password include password-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
-session optional pam_ck_connector.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include password-auth
session optional pam_gnome_keyring.so auto_start
session include postlogin
I don't know where to look further in troubleshooting domain logons. I kind
of hope it is some obvious misconfiguration in my sssd.conf which I posted
before. Many thanks for looking at this,
Roberts
On 24 October 2013 14:01, Roberts Klotiņš <roberts.klotins(a)gmail.com> wrote:
Hi Thanks a lot for looking into this.
As you suspected - there is something that enterprise simple login added
into the config file file:
[sssd]
services = nss, pam
config_file_version = 2
domains = PEOPLE
[nss]
filter_users = root
filter_groups = root
[pam]
[domain/PEOPLE]
description = PEOPLE AD domain
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ad_server = srv1.people.local
ad_hostname = client1.people.local
ad_domain = PEOPLE.LOCAL
case_sensitive = false
enumerate = true
cache_credentials = true
simple_allow_users = usr1, usr2
However when I deleted the last line in this file I got the same result.
/var/log/secure
datet:42:54 robbie gdm-password]: pam_unix(gdm-password:auth):
authentication failure; logname=(unknown) uid=0 euid=0 tty=:1 ruser
= rhost= user=PEOPLE\usr2
datet:42:54 robbie gdm-password]: pam_sss(gdm-password:auth):
authentication failure; logname=(unknown) uid=0 euid=0 tty=:1 ruser=
rhost= user=PEOPLE\usr2
datet:42:54 robbie gdm-password]: pam_sss(gdm-password:auth): received for
user PEOPLE\usr2: 6 (Permission denied)
datet:42:59 robbie gdm-password]: pam_unix(gdm-password:auth):
conversation failed
datet:42:59 robbie gdm-password]: pam_unix(gdm-password:auth): auth could
not identify password for [PEOPLE\usr2]
datet:42:59 robbie gdm-password]: pam_sss(gdm-password:auth):
authentication failure; logname=(unknown) uid=0 euid=0 tty=:1 ruser=
rhost= user=PEOPLE\usr2
datet:42:59 robbie gdm-password]: pam_sss(gdm-password:auth): received for
user PEOPLE\usr2: 7 (Authentication failure)
It appears I may need to configure something in pam, but maybe that is not
the case??
Your help is much appreciated.
Roberts
On 24 October 2013 13:00, <sssd-users-request(a)lists.fedorahosted.org>wrote:
> Send sssd-users mailing list submissions to
> sssd-users(a)lists.fedorahosted.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> or, via email, send a message with subject or body 'help' to
> sssd-users-request(a)lists.fedorahosted.org
>
> You can reach the person managing the list at
> sssd-users-owner(a)lists.fedorahosted.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of sssd-users digest..."
>
>
> Today's Topics:
>
> 1. GDM login (Roberts Klotiņš)
> 2. Re: GDM login (Jakub Hrozek)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 24 Oct 2013 09:59:50 +0100
> From: Roberts Klotiņš <roberts.klotins(a)gmail.com>
> To: sssd-users(a)lists.fedorahosted.org
> Subject: [SSSD-users] GDM login
> Message-ID:
> <
> CALr2nHs9s41VbMVECCLrUQx1mfJYgsQFcLAxzT-0QzudHuaW8g(a)mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
>
> After 2 days of reading on Samba4 SSSD and AD login I am running into
> problems. I have set up
> - AD server with Samba 4.2 (CentOS 6.3) - domain PEOPLE.LOCAL
> - Fedora 19 machine
> - Windows XP machine joined the domain without problems, I can run
> dsa.msc successfully
>
> I want to achieve AD user login from gdm. I understand that I should
> create
> used with dsa.msc and then I don't know if I should add it through Fedora
> 19 user control panel. I tried it anyhow (was useful in debugging) but
> changes do not persist.
>
> I set up sssd (ver 1.11.1) it seems alright with AD options:
> - id and getent work for passwords and groups
>
> In my sssd.conf I have specified domain as [domain\PEOPLE]
> as all the correct server addresses etc are given there and it is easier
> to
> refer to the domain just by one name.
> sssd loads fine, getent passwd 'PEOPLE\user' works
>
> - realm discover gives this result
> realm discover --verbose PEOPLE.LOCAL
> * Resolving: _ldap._tcp.people.local
> * Performing LDAP DSE lookup on: 192.168.1.74
> ! Received invalid or unsupported Netlogon data from server
> people.local
> type: kerberos
> realm-name: PEOPLE.LOCAL
> domain-name: people.local
> configured: no
>
> I can add previously defined domain user via Settings - User : Enterprise
> with correct username and password, however this does not persist - if I
> close the user admin panel and then re-open it, the added user is gone.
>
> If I try to log on from GDM (user not listed so I use PEOPLE\user) I get
> authentication failure
> /var/log/secure gives these messages:
>
> date:00:19 host gdm-password]: pam_unix(gdm-password:auth): authentication
> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> user=PEOPLE\usr1
> date:00:19 host gdm-password]: pam_sss(gdm-password:auth): authentication
> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> user=PEOPLE\usr1
> date:00:19 host gdm-password]: pam_sss(gdm-password:auth): received for
> user PEOPLE\usr1: 6 (Permission denied)
> date:00:48 host gdm-password]: pam_unix(gdm-password:auth): authentication
> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> user=PEOPLE\usr1
> date:00:48 host gdm-password]: pam_sss(gdm-password:auth): authentication
> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> user=PEOPLE\usr1
> date:00:48 host gdm-password]: pam_sss(gdm-password:auth): received for
> user PEOPLE\usr1: 6 (Permission denied)
> date:01:40 host gdm-password]: pam_unix(gdm-password:auth): authentication
> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> user=PEOPLE\usr2
> date:01:40 host gdm-password]: pam_sss(gdm-password:auth): authentication
> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> user=PEOPLE\usr2
> date:01:40 host gdm-password]: pam_sss(gdm-password:auth): received for
> user PEOPLE\usr2: 6 (Permission denied)
> date:01:46 host gdm-password]: pam_unix(gdm-password:auth): conversation
> failed
> date:01:46 host gdm-password]: pam_unix(gdm-password:auth): auth could not
> identify password for [PEOPLE\usr2]
> date:01:46 host gdm-password]: pam_sss(gdm-password:auth): authentication
> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> user=PEOPLE\usr2
> date:01:46 host gdm-password]: pam_sss(gdm-password:auth): received for
> user PEOPLE\usr2: 7 (Authentication failure)
> date:01:46 host gdm-password]: gkr-pam: no password is available for user
>
> Could someone point me in the right direction as to what is wrong with my
> setup. I have sorted some problems out by myself, but here I feel out of
> depth.
>
> Many thanks,
>
> Roberts
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
>
https://lists.fedorahosted.org/pipermail/sssd-users/attachments/20131024/...
> >
>
> ------------------------------
>
> Message: 2
> Date: Thu, 24 Oct 2013 12:01:11 +0200
> From: Jakub Hrozek <jhrozek(a)redhat.com>
> To: sssd-users(a)lists.fedorahosted.org
> Subject: Re: [SSSD-users] GDM login
> Message-ID: <20131024100111.GD4240(a)hendrix.redhat.com>
> Content-Type: text/plain; charset=utf-8
>
> On Thu, Oct 24, 2013 at 09:59:50AM +0100, Roberts Klotiņš wrote:
> > Hello,
> >
> > After 2 days of reading on Samba4 SSSD and AD login I am running into
> > problems. I have set up
> > - AD server with Samba 4.2 (CentOS 6.3) - domain PEOPLE.LOCAL
> > - Fedora 19 machine
> > - Windows XP machine joined the domain without problems, I can run
> > dsa.msc successfully
> >
> > I want to achieve AD user login from gdm. I understand that I should
> create
> > used with dsa.msc and then I don't know if I should add it through
> Fedora
> > 19 user control panel. I tried it anyhow (was useful in debugging) but
> > changes do not persist.
> >
> > I set up sssd (ver 1.11.1) it seems alright with AD options:
> > - id and getent work for passwords and groups
> >
> > In my sssd.conf I have specified domain as [domain\PEOPLE]
> > as all the correct server addresses etc are given there and it is
> easier to
> > refer to the domain just by one name.
> > sssd loads fine, getent passwd 'PEOPLE\user' works
> >
> > - realm discover gives this result
> > realm discover --verbose PEOPLE.LOCAL
> > * Resolving: _ldap._tcp.people.local
> > * Performing LDAP DSE lookup on: 192.168.1.74
> > ! Received invalid or unsupported Netlogon data from server
> > people.local
>
> ^^^ This is a Samba bug. I've seen it reported by another user, but I'm
> not sure if it's reported to Samba upstream.
>
> > type: kerberos
> > realm-name: PEOPLE.LOCAL
> > domain-name: people.local
> > configured: no
> >
> > I can add previously defined domain user via Settings - User :
> Enterprise
> > with correct username and password, however this does not persist - if I
> > close the user admin panel and then re-open it, the added user is gone.
>
> This sounds like Enterprise Logins bug, but let's resolve the Permission
> Denied first.
>
> >
> > If I try to log on from GDM (user not listed so I use PEOPLE\user) I get
> > authentication failure
> > /var/log/secure gives these messages:
> >
> > date:00:19 host gdm-password]: pam_unix(gdm-password:auth):
> authentication
> > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> > user=PEOPLE\usr1
> > date:00:19 host gdm-password]: pam_sss(gdm-password:auth):
> authentication
> > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> > user=PEOPLE\usr1
> > date:00:19 host gdm-password]: pam_sss(gdm-password:auth): received for
> > user PEOPLE\usr1: 6 (Permission denied)
> > date:00:48 host gdm-password]: pam_unix(gdm-password:auth):
> authentication
> > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> > user=PEOPLE\usr1
> > date:00:48 host gdm-password]: pam_sss(gdm-password:auth):
> authentication
> > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> > user=PEOPLE\usr1
> > date:00:48 host gdm-password]: pam_sss(gdm-password:auth): received for
> > user PEOPLE\usr1: 6 (Permission denied)
> > date:01:40 host gdm-password]: pam_unix(gdm-password:auth):
> authentication
> > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> > user=PEOPLE\usr2
> > date:01:40 host gdm-password]: pam_sss(gdm-password:auth):
> authentication
> > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> > user=PEOPLE\usr2
> > date:01:40 host gdm-password]: pam_sss(gdm-password:auth): received for
> > user PEOPLE\usr2: 6 (Permission denied)
> > date:01:46 host gdm-password]: pam_unix(gdm-password:auth): conversation
> > failed
> > date:01:46 host gdm-password]: pam_unix(gdm-password:auth): auth could
> not
> > identify password for [PEOPLE\usr2]
> > date:01:46 host gdm-password]: pam_sss(gdm-password:auth):
> authentication
> > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> > user=PEOPLE\usr2
> > date:01:46 host gdm-password]: pam_sss(gdm-password:auth): received for
> > user PEOPLE\usr2: 7 (Authentication failure)
> > date:01:46 host gdm-password]: gkr-pam: no password is available for
> user
> >
> > Could someone point me in the right direction as to what is wrong with
> my
> > setup. I have sorted some problems out by myself, but here I feel out of
> > depth.
> >
> > Many thanks,
> >
> > Roberts
>
> Can you attach your sssd.conf? I suspect that realmd/enterprise logins
> set up the simple access provider and the user is not included in the
>
>
> ------------------------------
>
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
>
> End of sssd-users Digest, Vol 18, Issue 25
> ******************************************
>
--
==
Roberts Klotins