Hello,

apologies for the late reply, due to the holidays.

I had a call from a user this morning, she had to do multiple login
attempts and reboot several times before she could login.

Trying to follow
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html

I assume the general setup works, as troubles only show up when password
expires.
On the  users laptop:

[root@lremijsen ~]# systemctl status sssd
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor
preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: active (running) since do 2018-01-04 08:42:01 CET; 2h 35min ago
  Process: 730 ExecStart=/usr/sbin/sssd -D -f (code=exited,
status=0/SUCCESS)
 Main PID: 757 (sssd)
   CGroup: /system.slice/sssd.service
           ├─757 /usr/sbin/sssd -D -f
           ├─767 /usr/libexec/sssd/sssd_be --domain network.cawdekempen.be
--uid 0 --gid 0 --debug-to-files
           ├─774 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
           ├─775 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0
--debug-to-files
           ├─776 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
           ├─777 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
           └─778 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files

jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 2
jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 2
jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 1
jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI
client step 2

In /var/log/secure there is always a clear message that the password is
expired:

Jan  4 10:06:13 lremijsen mate-screensaver-dialog:
pam_sss(mate-screensaver:auth): authentication failure; logname=
uid=382900705 euid=382900705 tty=:0.0 ruser= rhost= user=lremijsen
Jan  4 10:06:13 lremijsen mate-screensaver-dialog:
pam_sss(mate-screensaver:auth): received for user lremijsen: 12
(Authenticatietoken is niet langer geldig; nieuwe is vereist)
Jan  4 10:06:14 lremijsen mate-screensaver-dialog:
pam_sss(mate-screensaver:account): User info message: Wachtwoord verlopen.
Verander nu uw wachtwoord.

    sssd_pam.log only shows:

(Tue Jan  2 13:05:46 2018) [sssd[pam]] [orderly_shutdown] (0x0010):
SIGTERM: killing children

   sssd_network.cawdekempen.be.log only shows:

(Tue Jan  2 13:05:46 2018) [sssd[be[network.cawdekempen.be]]]
[orderly_shutdown] (0x0010): SIGTERM: killing children

I suppose I have to increase the log levels?

Many many thanks for the help!

greetings, J.



2017-12-21 22:01 GMT+01:00 Jakub Hrozek via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:

> This sounds like a bug, could you follow https://docs.pagure.org/SSSD.
> sssd/users/troubleshooting.html, gather logs from the pam and domain
> sections and post them here? If the password is expired, then pam_sss
> should send a message to the login manager which the login manager should
> display.
>
> The logs would at least show if the deamon is sending the message to
> pam_sss…
>
> > On 21 Dec 2017, at 09:39, Johan Vermeulen via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
> >
> > Hello All,
> >
> > We run some 200 Centos7/Mate laptops, since last year they authenticate
> against freeipa.
> > Lightdm/Mate are installed using epel repo.
> >
> > On Centos7.3/Lightdm 1.10.6-4.el7 things were al right, when a password
> expired, users would get the passwd expired field, the "new password" field
> en warnings if the made a mistake.
> > Since upgrading to Centos7.4/Lightdm 1.25.0-1.el7 things go terribly
> wrong. Users very often get no warning if a password expired, just an
> authentication failure.
> > Or they get no message at all.
> >
> > If at that point you got to tty....and log in you do get the warnings on
> the command line.
> > The log files /var/log/secure also give clear password expired messages,
> only the user sees nothing.
> >
> > This is a big problem because users cannot login and cannot work without
> interventions.
> >
> > Many thanks for any help.
> >
> > Greetings, J.
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave@lists.
> fedorahosted.org
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
  • [Freeipa-users] Cen... Johan Vermeulen via FreeIPA-users
    • [Freeipa-users... Stephen Berg (Contractor, Code 7320) via FreeIPA-users
    • [Freeipa-users... Jakub Hrozek via FreeIPA-users
      • [Freeipa-u... Johan Vermeulen via FreeIPA-users
        • [Freei... Jakub Hrozek via FreeIPA-users
          • [F... Jakub Hrozek via FreeIPA-users
            • ... Johan Vermeulen via FreeIPA-users
              • ... Jakub Hrozek via FreeIPA-users
                • ... Johan Vermeulen via FreeIPA-users
                • ... Jakub Hrozek via FreeIPA-users

Reply via email to