Make sure you are using "reply-all" as your replies are falling off the mailing list and coming to me only.
> They do have some of these lines. Assuming your common-* modules are setup correctly (which you can verify by looking at your ssh module and seeing if it uses common-* or if the sssd libraries are in there directly) at this point we'll need to go to logs. Tail your logs while attempting to do a GDM login and compare them to a tail when doing an SSH login. j > These are the contents: > > > gdm-password: > > #%PAM-1.0 > auth requisite pam_nologin.so > auth required pam_succeed_if.so user != root quiet_success > @include common-auth > auth optional pam_gnome_keyring.so > @include common-account > # SELinux needs to be the first session rule. This ensures that any > # lingering context has been cleared. Without this it is possible > # that a module could execute code in the wrong domain. > session [success=ok ignore=ignore module_unknown=ignore > default=bad] pam_selinux.so close > session required pam_loginuid.so > # SELinux needs to intervene at login time to ensure that the process > # starts in the proper default security context. Only sessions which are > # intended to run in the user's context should be run after this. > session [success=ok ignore=ignore module_unknown=ignore > default=bad] pam_selinux.so open > session optional pam_keyinit.so force revoke > session required pam_limits.so > session required pam_env.so readenv=1 > session required pam_env.so readenv=1 user_readenv=1 > envfile=/etc/default/locale > @include common-session > session optional pam_gnome_keyring.so auto_start > @include common-password > > > gdm-autologin: > > #%PAM-1.0 > auth requisite pam_nologin.so > auth required pam_succeed_if.so user != root quiet_success > auth required pam_permit.so > @include common-account > # SELinux needs to be the first session rule. This ensures that any > # lingering context has been cleared. Without this it is possible > # that a module could execute code in the wrong domain. > session [success=ok ignore=ignore module_unknown=ignore > default=bad] pam_selinux.so close > session required pam_loginuid.so > # SELinux needs to intervene at login time to ensure that the process > # starts in the proper default security context. Only sessions which are > # intended to run in the user's context should be run after this. > session [success=ok ignore=ignore module_unknown=ignore > default=bad] pam_selinux.so open > session optional pam_keyinit.so force revoke > session required pam_limits.so > session required pam_env.so readenv=1 > session required pam_env.so readenv=1 user_readenv=1 > envfile=/etc/default/locale > @include common-session > @include common-password > > > gdm-launch-environment: > > #%PAM-1.0 > auth requisite pam_nologin.so > auth required pam_permit.so > @include common-account > session optional pam_keyinit.so force revoke > session required pam_limits.so > session required pam_env.so readenv=1 > session required pam_env.so readenv=1 user_readenv=1 > envfile=/etc/default/locale > @include common-session > @include common-password > > Thanks already! > > On 10-May-17 3:40 AM, Jason B. Nance wrote: >>> I have three files: >>> >>> /etc/pam.d/gdm-autologin >>> >>> /etc/pam.d/gdm-launch-environment >>> >>> /etc/pam.d/gdm-password >>> >>> They all have a line "@ include common-session" >>> >>> The common-session file has a line "session optional pam_sss.so" >>> >>> I don't really know what to compare to the SSH module (which I guess is >>> the /etc/pam.d/sshd file) >> Do they only have session lines and no auth, account, or password? >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project