Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
On 12.05.2017 12:25, tuxderlinuxfuch...@gmail.com wrote: > Thanks! > > I followed this manual: > https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir > > added the line > > sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022 > > to the file /etc/pam.d/common-session (find attached) Don't add it manually, it'll get removed next time pam-auth-update is run. Instead run pam-auth-update yourself and enable "create home directory on login". -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
On Fri, May 12, 2017 at 03:00:42PM +0200, tuxderlinuxfuch...@gmail.com wrote: > It worked with pam_mkhomedir. So I don't see anything left to do at the > moment > ah, I thought ... > > On 12-May-17 12:52 PM, Sumit Bose wrote: > > On Fri, May 12, 2017 at 12:11:28PM +0200, tuxderlinuxfuch...@gmail.com > > wrote: > >> The directory didn't exist ... meant that pam_mkhomedir didn't create the directory properly. Glad it works for you now. bye, Sumit > > Then I guess that the process doesn't has the needed permissions during > > the session phase anymore. Please try to replace pam_mkhomedir by > > pam_oddjob_mkhomedir. This will try to create the directory via oddjobd > > which runs with higher privileges. > > > > HTH > > > > bye, > > Sumit > > > >> > >> On 12-May-17 11:48 AM, Sumit Bose wrote: > >>> On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuch...@gmail.com > >>> wrote: > Thanks! > > I followed this manual: > https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir > > added the line > > sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022 > > to the file /etc/pam.d/common-session (find attached) > > > >>> Have you checked if /home/vmuser1 exists and has the right permissions > >>> so that the user can create files in the directory? > >>> > >>> bye, > >>> Sumit > >>> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
It worked with pam_mkhomedir. So I don't see anything left to do at the moment On 12-May-17 12:52 PM, Sumit Bose wrote: > On Fri, May 12, 2017 at 12:11:28PM +0200, tuxderlinuxfuch...@gmail.com wrote: >> The directory didn't exist > Then I guess that the process doesn't has the needed permissions during > the session phase anymore. Please try to replace pam_mkhomedir by > pam_oddjob_mkhomedir. This will try to create the directory via oddjobd > which runs with higher privileges. > > HTH > > bye, > Sumit > >> >> On 12-May-17 11:48 AM, Sumit Bose wrote: >>> On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuch...@gmail.com >>> wrote: Thanks! I followed this manual: https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir added the line sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022 to the file /etc/pam.d/common-session (find attached) >>> Have you checked if /home/vmuser1 exists and has the right permissions >>> so that the user can create files in the directory? >>> >>> bye, >>> Sumit >>> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
On Fri, May 12, 2017 at 12:11:28PM +0200, tuxderlinuxfuch...@gmail.com wrote: > The directory didn't exist Then I guess that the process doesn't has the needed permissions during the session phase anymore. Please try to replace pam_mkhomedir by pam_oddjob_mkhomedir. This will try to create the directory via oddjobd which runs with higher privileges. HTH bye, Sumit > > > On 12-May-17 11:48 AM, Sumit Bose wrote: > > On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuch...@gmail.com > > wrote: > >> Thanks! > >> > >> I followed this manual: > >> https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir > >> > >> added the line > >> > >> sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022 > >> > >> to the file /etc/pam.d/common-session (find attached) > >> > >> > > Have you checked if /home/vmuser1 exists and has the right permissions > > so that the user can create files in the directory? > > > > bye, > > Sumit > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
The directory didn't exist On 12-May-17 11:48 AM, Sumit Bose wrote: > On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuch...@gmail.com wrote: >> Thanks! >> >> I followed this manual: >> https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir >> >> added the line >> >> sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022 >> >> to the file /etc/pam.d/common-session (find attached) >> >> > Have you checked if /home/vmuser1 exists and has the right permissions > so that the user can create files in the directory? > > bye, > Sumit > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
On Fri, May 12, 2017 at 12:50:08AM +0200, tuxderlinuxfuch...@gmail.com wrote: > I have attached the syslog with gdm debug mode enabled > > > On 11-May-17 1:54 PM, Sumit Bose wrote: > > On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuch...@gmail.com > > wrote: > >> Hello, > >> > >> I have attached the requested files. > > The logs indicate that access was granted by SSSD and that gdm even > > called pam_open_session. > > > > Did gdm login worked with the 'allow all' rule? Are there any other > > hints in the system or gdm logs with gdm might have failed? > > > > bye, > > Sumit > > > >> Thanks in advance! > >> > >> On 10-May-17 9:42 PM, Sumit Bose wrote: > >>> On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuch...@gmail.com > >>> wrote: > Hello everyone, > > I set up my freeIPA instance and it works very well for my client > computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a > freeIPA managed user account. > > My own HBAC rule also works for that. I disabled the "allow all" rule > and created my own one. Works fine for SSH. > > But I cannot login to the GNOME 3 Desktop on the client. I used the > netinstall ISO image of Ubuntu. During installation, I have chose > "Ubuntu GNOME Desktop" as the only desktop. > > So my display manager is gdm3. > > I added the "gdm" and "gdm-password" services to my HBAC rule. To be on > the safe side, I rebooted the client machine. But I still can't login to > the GNOME Desktop with an account that can login via SSH. > > So the services in my rule are > > login, gdm, gdm-password > > If you need any logs or other information, I will provide them. > >>> Please send sssd_pam.log and sssd_domain.name.log with debug_level=10 in > >>> the [pam] and [domain/...] section of sssd.conf. > >>> > >>> bye, > >>> Sumit > >>> > Thanks in advance! > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) This device > may have been added with another device file. > May 11 23:41:55 ubugdm gdm-x-session: Running session message bus > May 11 23:41:55 ubugdm gdm3: GdmManager: trying to register new display > May 11 23:41:55 ubugdm gdm3: GdmSession: Setting display device: /dev/tty2 > May 11 23:41:55 ubugdm gdm3: using ut_user vmuser1 > May 11 23:41:55 ubugdm gdm3: Writing login record > May 11 23:41:55 ubugdm gdm3: using ut_type USER_PROCESS > May 11 23:41:55 ubugdm gdm3: using ut_tv time 1494538915 > May 11 23:41:55 ubugdm gdm3: using ut_pid 1741 > May 11 23:41:55 ubugdm gdm3: using ut_host :1 > May 11 23:41:55 ubugdm gdm3: using ut_line tty2 > May 11 23:41:55 ubugdm gdm3: Writing wtmp session record to /var/log/wtmp > May 11 23:41:55 ubugdm gdm3: Adding or updating utmp record for login > May 11 23:41:55 ubugdm gdm3: GdmLocalDisplayFactory: display status changed: 2 > May 11 23:41:55 ubugdm gdm-x-session: Running X session > May 11 23:41:55 ubugdm gdm-x-session: Trying script /etc/gdm3/Prime/:1 > May 11 23:41:55 ubugdm gdm-x-session: script /etc/gdm3/Prime/:1 not found; > skipping > May 11 23:41:55 ubugdm gdm-x-session: Trying script /etc/gdm3/Prime/Default > May 11 23:41:55 ubugdm gdm-x-session: Running process: /etc/gdm3/Prime/Default > May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: DISPLAY=:1 > May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: > SHELL=/bin/sh > May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: > XAUTHORITY=/run/user/12644/gdm/Xauthority > May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: > RUNNING_UNDER_GDM=true > May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: HOME=/ > May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: PWD=/ > May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: > PATH=/usr/local/bin:/usr/bin:/bin:/usr/games > May 11 23:41:55 ubugdm gdm-x-session: Process exit status: 0 > May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: /etc/gdm3/Xsession: > Beginning session setup... > May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: /etc/gdm3/Xsession: > line 41: /dev/stderr: No such device or address > May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: localuser:vmuser1 > being added to access control list > May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: localuser:vmuser1 > being added to access control list > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir > /home/vmuser1/Desktop > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir > /home/vmuser1/Downloads > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir >
Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
I have attached the syslog with gdm debug mode enabled On 11-May-17 1:54 PM, Sumit Bose wrote: > On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuch...@gmail.com wrote: >> Hello, >> >> I have attached the requested files. > The logs indicate that access was granted by SSSD and that gdm even > called pam_open_session. > > Did gdm login worked with the 'allow all' rule? Are there any other > hints in the system or gdm logs with gdm might have failed? > > bye, > Sumit > >> Thanks in advance! >> >> On 10-May-17 9:42 PM, Sumit Bose wrote: >>> On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuch...@gmail.com >>> wrote: Hello everyone, I set up my freeIPA instance and it works very well for my client computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a freeIPA managed user account. My own HBAC rule also works for that. I disabled the "allow all" rule and created my own one. Works fine for SSH. But I cannot login to the GNOME 3 Desktop on the client. I used the netinstall ISO image of Ubuntu. During installation, I have chose "Ubuntu GNOME Desktop" as the only desktop. So my display manager is gdm3. I added the "gdm" and "gdm-password" services to my HBAC rule. To be on the safe side, I rebooted the client machine. But I still can't login to the GNOME Desktop with an account that can login via SSH. So the services in my rule are login, gdm, gdm-password If you need any logs or other information, I will provide them. >>> Please send sssd_pam.log and sssd_domain.name.log with debug_level=10 in >>> the [pam] and [domain/...] section of sssd.conf. >>> >>> bye, >>> Sumit >>> Thanks in advance! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project May 11 23:41:44 ubugdm systemd[1189]: Time has been changed May 11 23:41:44 ubugdm systemd[1387]: Time has been changed May 11 23:41:44 ubugdm systemd[1]: Time has been changed May 11 23:41:44 ubugdm systemd[1]: snapd.refresh.timer: Adding 1h 29min 52.376524s random time. May 11 23:41:44 ubugdm systemd[1]: snapd.refresh.timer: Adding 3h 33min 1.143840s random time. May 11 23:41:44 ubugdm systemd[1]: apt-daily.timer: Adding 9h 27min 47.330771s random time. May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:68 May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (WW) FBDEV(0): FBIOPAN_DISPLAY: Invalid argument May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:67 May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:66 May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:65 May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive May 11 23:41:48 ubugdm gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:64 May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (gnome-settings-daemon:1225): color-plugin-WARNING **: unable to get EDID for xrandr-default: unable to get EDID for output May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap compiler (xkbcomp) reports: May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Ignoring extra symbols May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp are not fatal to the X server May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap compiler (xkbcomp) reports: May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Ignoring extra symbols May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp are not fatal to the X server May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap compiler (xkbcomp) reports: May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Ignoring extra symbols May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp are not fatal to the X server May 11 23:41:49 ubugdm systemd[1]: Time has been changed May 11 23:41:49 ubugdm systemd[1]: snapd.refresh.timer: Adding 5h 21min 18.851504s random time. May 11 23:41:49 ubugdm systemd[1]:
Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuch...@gmail.com wrote: > Hello, > > I have attached the requested files. The logs indicate that access was granted by SSSD and that gdm even called pam_open_session. Did gdm login worked with the 'allow all' rule? Are there any other hints in the system or gdm logs with gdm might have failed? bye, Sumit > > Thanks in advance! > > On 10-May-17 9:42 PM, Sumit Bose wrote: > > On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuch...@gmail.com > > wrote: > >> Hello everyone, > >> > >> I set up my freeIPA instance and it works very well for my client > >> computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a > >> freeIPA managed user account. > >> > >> My own HBAC rule also works for that. I disabled the "allow all" rule > >> and created my own one. Works fine for SSH. > >> > >> But I cannot login to the GNOME 3 Desktop on the client. I used the > >> netinstall ISO image of Ubuntu. During installation, I have chose > >> "Ubuntu GNOME Desktop" as the only desktop. > >> > >> So my display manager is gdm3. > >> > >> I added the "gdm" and "gdm-password" services to my HBAC rule. To be on > >> the safe side, I rebooted the client machine. But I still can't login to > >> the GNOME Desktop with an account that can login via SSH. > >> > >> So the services in my rule are > >> > >> login, gdm, gdm-password > >> > >> If you need any logs or other information, I will provide them. > > Please send sssd_pam.log and sssd_domain.name.log with debug_level=10 in > > the [pam] and [domain/...] section of sssd.conf. > > > > bye, > > Sumit > > > >> > >> Thanks in advance! > >> > >> > >> > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuch...@gmail.com wrote: > Hello everyone, > > I set up my freeIPA instance and it works very well for my client > computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a > freeIPA managed user account. > > My own HBAC rule also works for that. I disabled the "allow all" rule > and created my own one. Works fine for SSH. > > But I cannot login to the GNOME 3 Desktop on the client. I used the > netinstall ISO image of Ubuntu. During installation, I have chose > "Ubuntu GNOME Desktop" as the only desktop. > > So my display manager is gdm3. > > I added the "gdm" and "gdm-password" services to my HBAC rule. To be on > the safe side, I rebooted the client machine. But I still can't login to > the GNOME Desktop with an account that can login via SSH. > > So the services in my rule are > > login, gdm, gdm-password > > If you need any logs or other information, I will provide them. Please send sssd_pam.log and sssd_domain.name.log with debug_level=10 in the [pam] and [domain/...] section of sssd.conf. bye, Sumit > > > Thanks in advance! > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
Make sure you are using "reply-all" as your replies are falling off the mailing list and coming to me only. > They do have some of these lines. Assuming your common-* modules are setup correctly (which you can verify by looking at your ssh module and seeing if it uses common-* or if the sssd libraries are in there directly) at this point we'll need to go to logs. Tail your logs while attempting to do a GDM login and compare them to a tail when doing an SSH login. j > These are the contents: > > > gdm-password: > > #%PAM-1.0 > authrequisite pam_nologin.so > authrequiredpam_succeed_if.so user != root quiet_success > @include common-auth > authoptionalpam_gnome_keyring.so > @include common-account > # SELinux needs to be the first session rule. This ensures that any > # lingering context has been cleared. Without this it is possible > # that a module could execute code in the wrong domain. > session [success=ok ignore=ignore module_unknown=ignore > default=bad]pam_selinux.so close > session requiredpam_loginuid.so > # SELinux needs to intervene at login time to ensure that the process > # starts in the proper default security context. Only sessions which are > # intended to run in the user's context should be run after this. > session [success=ok ignore=ignore module_unknown=ignore > default=bad]pam_selinux.so open > session optionalpam_keyinit.so force revoke > session requiredpam_limits.so > session requiredpam_env.so readenv=1 > session requiredpam_env.so readenv=1 user_readenv=1 > envfile=/etc/default/locale > @include common-session > session optionalpam_gnome_keyring.so auto_start > @include common-password > > > gdm-autologin: > > #%PAM-1.0 > authrequisite pam_nologin.so > authrequiredpam_succeed_if.so user != root quiet_success > authrequiredpam_permit.so > @include common-account > # SELinux needs to be the first session rule. This ensures that any > # lingering context has been cleared. Without this it is possible > # that a module could execute code in the wrong domain. > session [success=ok ignore=ignore module_unknown=ignore > default=bad]pam_selinux.so close > session requiredpam_loginuid.so > # SELinux needs to intervene at login time to ensure that the process > # starts in the proper default security context. Only sessions which are > # intended to run in the user's context should be run after this. > session [success=ok ignore=ignore module_unknown=ignore > default=bad]pam_selinux.so open > session optionalpam_keyinit.so force revoke > session requiredpam_limits.so > session requiredpam_env.so readenv=1 > session requiredpam_env.so readenv=1 user_readenv=1 > envfile=/etc/default/locale > @include common-session > @include common-password > > > gdm-launch-environment: > > #%PAM-1.0 > authrequisite pam_nologin.so > authrequiredpam_permit.so > @include common-account > session optionalpam_keyinit.so force revoke > session requiredpam_limits.so > session requiredpam_env.so readenv=1 > session requiredpam_env.so readenv=1 user_readenv=1 > envfile=/etc/default/locale > @include common-session > @include common-password > > Thanks already! > > On 10-May-17 3:40 AM, Jason B. Nance wrote: >>> I have three files: >>> >>> /etc/pam.d/gdm-autologin >>> >>> /etc/pam.d/gdm-launch-environment >>> >>> /etc/pam.d/gdm-password >>> >>> They all have a line "@ include common-session" >>> >>> The common-session file has a line "session optional pam_sss.so" >>> >>> I don't really know what to compare to the SSH module (which I guess is >>> the /etc/pam.d/sshd file) >> Do they only have session lines and no auth, account, or password? >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
> I set up my freeIPA instance and it works very well for my client > computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a > freeIPA managed user account. > But I cannot login to the GNOME 3 Desktop on the client. I used the > netinstall ISO image of Ubuntu. During installation, I have chose > "Ubuntu GNOME Desktop" as the only desktop. > > So my display manager is gdm3. Err, actually, I missed something here. You say you're running Ubuntu Desktop 16.04.2 LTS with Gnome 3 and GDM. However, that version/bundle ships with Unity and LightDM. I'm not saying it won't work but just trying to get clarity on your setup and letting you know you may be deviating from the "easy" path. Regards, j -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
> But I cannot login to the GNOME 3 Desktop on the client. I used the > netinstall ISO image of Ubuntu. During installation, I have chose > "Ubuntu GNOME Desktop" as the only desktop. > > So my display manager is gdm3. It sounds as if GDM has its own PAM module that isn't configured to use SSSD. Check out /etc/pam.d/gdm or similar and see if it includes the "common-*" modules (and verify that they include the SSSD libraries in their stacks). You can compare it to the SSH module. Regards, j -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project