Hi Andy, On Sun, May 26, 2013 at 10:23:41AM +0200, Andreas B. Mundt wrote: > Hi Giorgio, > > On Sun, May 26, 2013 at 09:43:17AM +0200, Giorgio Pioda wrote: > > On Sat, May 25, 2013 at 05:37:20PM +0200, Petter Reinholdtsen wrote: > > > > > > > > pam_acct_mgmt: Authentication failure > > > > > > > > But actually sssd works, krb5 tickets are OK and right before this > > > > message > > > > pam_sss claims a successful authentication. > > > > > > > > Any clues? > > > > > The only problem I had was when /etc/nsswitch.conf was missing the > 'sss'. In addition you might want to check with 'pam-auth-update' > what authentication mechanisms you would like to allow. I have only > 'Unix' and 'SSS' installed and therefore available, and this seems to > work fine. > > [...] > > > > > Sssd seems to work properly. Ubuntu's pam_mklocaluser is still not working > > correctly, > > (even in Ubuntu 13.04, even using the fixed Wheezy package) and homedirs > > are not created automatically. > > > > Note that pam_mklocaluser is not necessarily needed. If you have home > directories available for off-line use (which can be created with > pretty easily during login [1]), there is no need to 'recreate' the users > locally. > > Best regards, > > Andi > > [1] Add 'session required pam_mkhomedir.so skel=/etc/skel umask=0027' > to /etc/pam.d/common-session > However this only creates the directories when no NFS-homedirs are > availabel. To create the directories in any login, I use > libpam-script > (Cf. > http://anonscm.debian.org/gitweb/?p=collab-maint/debian-lan.git;a=blob;f=fai/config/scripts/ROAMING/10-home_nfs4_krb5;h=9b6b6d3749483b6ff9bfd207f21f5a8698019d46;hb=0600527f83621ba2a09fd3346ea23f2fe5884f77)
Thanks. Disabling mklocalusers (and all the rest) and keeping only Unix and SSS fixes the login. But then the problem relies in the fact that the sss users expect a homedir in /skole/tjener/.. and not in /home/.. Indeed this is a pam_mklocaluser problem. The package in Ubuntu is broken (in several releases) -- Sysadmin SPSE-Tenero Ufficio: +41 91 735 62 48 Cellulare: +41 79 629 20 63 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
