On Mon, Jan 08, 2018 at 11:27:47AM +0100, Johan Vermeulen wrote:
> Hello All,
> 
> I "ve set up a new machine for this test and increased the log levels to 6.
> Config for Freeipa-client is done with ipa-client-install, I use chrony in
> stead of ntp and Selinux is enabled.
> 
> When user logs in /var/log/secure indicates:
> 
> [root@node1 ~]# tail -f /var/log/secure
> Jan  5 09:27:17 node1 lightdm: pam_sss(lightdm:auth): received for user
> jvanvlasselaer: 7 (Authentication failure)
> Jan  5 09:27:29 node1 lightdm: pam_sss(lightdm:auth): authentication
> failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jvanvlasselaer
> Jan  5 09:27:29 node1 lightdm: pam_sss(lightdm:auth): received for user
> jvanvlasselaer: 12 (Authentication token is no longer valid; new one
> required)
> Jan  5 09:27:29 node1 lightdm: pam_sss(lightdm:account): User info message:
> Password expired. Change your password now.
> Jan  5 09:27:29 node1 lightdm: pam_unix(lightdm:chauthtok): user
> "jvanvlasselaer" does not exist in /etc/passwd
> 
> But the lightdm gui screen indicates nothing.
> 

> (Fri Jan  5 09:27:29 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200):
> received: [12 (Authenticatietoken is niet langer geldig; nieuwe is
> vereist)][network.cawdekempen.be]
> (Fri Jan  5 09:27:29 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> called with result [12]: Authenticatietoken is niet langer geldig; nieuwe
> is vereist.
> (Fri Jan  5 09:27:29 2018) [sssd[pam]] [filter_responses] (0x0100):
> [pam_response_filter] not available, not fatal.
> (Fri Jan  5 09:27:29 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 39

Here I at least see that the message did reach the sssd_pam process and I
don't see anything that would indicate that the message was filtered out
(OTOH, the debugging is not stellar in this area of code..)

I've never used lightdm, did you maybe test with some other login
method, like login to the console or su from another non-root user?

Does it help to increase pam_verbosity in the [pam] section (see man
sssd.conf for a description) ?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to