On 06/14/2013 09:08 AM, Sumit Bose wrote:
On Thu, Jun 13, 2013 at 01:49:30PM +0200, Leah Zimmermann wrote:
Hello Sumit,
Hello List Members,

Am 13.06.2013 09:18, schrieb Sumit Bose:
On Wed, Jun 12, 2013 at 02:04:33PM +0200, Leah Zimmermann wrote:
Am 12.06.2013 12:03, schrieb Sumit Bose:
On Wed, Jun 12, 2013 at 11:42:23AM +0200, Leah Zimmermann wrote:
Dear List Members,

I have a FreeIPA-Domain on a CentOS 6.4 machine. It is in a trusted
relationship to an AD-Domain.
The users of the AD-Domain can login via ssh- or console-login. Then
they can start the gnome desktop manually. But if they login via gdm
they logged out immediatly.
Which name style are you using 'AD_NETBIOS\username' or
'username@AD_DOMAIN' ? If you only tried one can you try the other?
until now I tried only 'username@AD_DOMAIN', but
'AD_NETBIOS\username' does not work as well.
If this does not help, please send the relevant section of
/var/Log/secure and the sssd logs with a high debug level.


As far as I can see, both styles causing the same results.

Jun 12 13:27:56 ipa_hostname pam: gdm-password:
pam_unix(gdm-password:auth): authentication failure; logname= uid=0
euid=0 tty=:0 ruser= rhost=  user=leah@AD_DOMAIN
Jun 12 13:27:57 ipa_hostname pam: gdm-password:
pam_sss(gdm-password:auth): authentication success; logname= uid=0
euid=0 tty=:0 ruser= rhost= user=leah@AD_DOMAIN
Jun 12 13:27:57 ipa_hostname pam: gdm-password:
pam_unix(gdm-password:session): session opened for user
leah@AD_DOMAIN by (uid=0)
Jun 12 13:27:57 ipa_hostname polkitd(authority=local): Unregistered
Authentication Agent for session
/org/freedesktop/ConsoleKit/Session25 (system bus name :1.265,
object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
de_DE.UTF-8) (disconnected from bus)
Jun 12 13:27:58 ipa_hostname pam: gdm-password:
pam_unix(gdm-password:session): session closed for user
leah@AD_DOMAIN
Jun 12 13:27:59 ipa_hostname polkitd(authority=local): Registered
Authentication Agent for session
/org/freedesktop/ConsoleKit/Session27 (system bus name :1.275
[/usr/libexec/polkit-gnome-authentication-agent-1], object path
/org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)


Jun 12 13:32:56 ipa_hostname pam: gdm-password:
pam_unix(gdm-password:auth): authentication failure; logname= uid=0
euid=0 tty=:0 ruser= rhost=  user=AD_NETBIOS\leah
Jun 12 13:32:58 ipa_hostname pam: gdm-password:
pam_sss(gdm-password:auth): authentication success; logname= uid=0
euid=0 tty=:0 ruser= rhost= user=AD_NETBIOS\leah
Jun 12 13:32:58 ipa_hostname pam: gdm-password:
pam_unix(gdm-password:session): session opened for user
AD_NETBIOS\leah by (uid=0)
Jun 12 13:32:58 ipa_hostname polkitd(authority=local): Unregistered
Authentication Agent for session
/org/freedesktop/ConsoleKit/Session27 (system bus name :1.275,
object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
de_DE.UTF-8) (disconnected from bus)
Jun 12 13:32:58 ipa_hostname pam: gdm-password:
pam_unix(gdm-password:session): session closed for user
AD_NETBIOS\leah
Jun 12 13:32:59 ipa_hostname polkitd(authority=local): Registered
Authentication Agent for session
/org/freedesktop/ConsoleKit/Session29 (system bus name :1.285
[/usr/libexec/polkit-gnome-authentication-agent-1], object path
/org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)

May be the Unregistered Authentication Agent is the problem. But
what I have missed to do?
Do you have SELinux enabled? Can you check if there any audit messages
with DELinux denials? Can you check if the SELinux context of the users
home directory is right?
SELinux is disabled by setting SELINUX=disabled in /etc/sysconfig/selinux.
I did that already, for eleminating this as the source of difficulties.
I'm sorry. May be, I should have mentioned this earlier.

If I set it to permissive mode I get

drwxr-xr-x. leah@ad_domain    leah@ad_domain
unconfined_u:object_r:user_home_t:s0 leah
drwxr-xr-x. user_xy@ad_domain user_xy@ad_domain
unconfined_u:object_r:user_home_t:s0 user_xy
...

All home directories of AD-Users looks like this.
The labels look good. Since this issue seems to be happen during the
open-session PAM step I'm quite confident that it is not related to
FreeIPA or SSSD, because they do not handle open-session. Do the log
files in /var/log/gdm contain any other information? Can you send your
gdm-passwd PAM configuration file and all include ones (password-auth)
to see if there is anything odd?

ok, here are the files. Hopefully I haven't missed shomething. I cut out only the lines, which are appearing as soon as i logged in. The complete logs are really huge.

###########
/etc/pam.d/gdm-password

auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth        substack      password-auth
auth        optional      pam_gnome_keyring.so

account     required      pam_nologin.so
account     include       password-auth

password    substack      password-auth
password    optional      pam_gnome_keyring.so

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     optional      pam_console.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     optional      pam_gnome_keyring.so auto_start
session     include       password-auth


###########
/etc/pam.d/password-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so


###########
/var/log/Xorg.0.log:

[316000.576] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 1 connected from local host ( uid=0 gid=0 pid=20544 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.587] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 connected from local host ( uid=0 gid=0 pid=20550 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.592] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 disconnected
[316000.603] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 connected from local host ( uid=0 gid=0 pid=20552 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.630] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 disconnected
[316000.633] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 connected from local host ( uid=0 gid=0 pid=20555 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.633] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 disconnected
[316000.694] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 2 connected from local host ( uid=42 gid=42 pid=20561 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.709] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 3 connected from local host ( uid=42 gid=42 pid=20564 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.723] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 4 connected from local host ( uid=42 gid=42 pid=20566 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.868] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 6 connected from local host ( uid=42 gid=42 pid=20574 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.870] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 5 connected from local host ( uid=42 gid=42 pid=20571 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.963] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 7 connected from local host ( uid=42 gid=42 pid=20582 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316000.964] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 7 disconnected
[316001.035] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 7 connected from local host ( uid=42 gid=42 pid=20566 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.042] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 8 connected from local host ( uid=42 gid=42 pid=20574 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.048] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 9 connected from local host ( uid=42 gid=42 pid=20586 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.069] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 10 connected from local host ( uid=42 gid=42 pid=20586 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.113] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 11 connected from local host ( uid=42 gid=42 pid=20574 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.117] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 11 disconnected
[316001.184] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 12 connected from local host ( uid=42 gid=42 pid=20587 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.219] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 13 connected from local host ( uid=42 gid=42 pid=20588 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.226] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 14 connected from local host ( uid=42 gid=42 pid=20590 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.230] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 15 connected from local host ( uid=42 gid=42 pid=20591 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.240] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 16 connected from local host ( uid=42 gid=42 pid=20589 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.257] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 17 connected from local host ( uid=42 gid=42 pid=20587 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.285] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 18 connected from local host ( uid=42 gid=42 pid=20588 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.291] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 19 connected from local host ( uid=42 gid=42 pid=20591 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.296] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 20 connected from local host ( uid=42 gid=42 pid=20590 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.304] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 21 connected from local host ( uid=42 gid=42 pid=20589 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.359] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 22 connected from local host ( uid=42 gid=42 pid=20591 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.360] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 22 disconnected
[316001.378] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 19 disconnected
[316001.382] AUDIT: Tue Jun 18 07:33:17 2013: 20546: client 15 disconnected
[316001.423] AUDIT: Tue Jun 18 07:33:18 2013: 20546: client 17 disconnected
[316001.424] AUDIT: Tue Jun 18 07:33:18 2013: 20546: client 12 disconnected
[316001.432] AUDIT: Tue Jun 18 07:33:18 2013: 20546: client 12 connected from local host ( uid=42 gid=42 pid=20595 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316001.481] AUDIT: Tue Jun 18 07:33:18 2013: 20546: client 15 connected from local host ( uid=42 gid=42 pid=20595 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
[316031.299] AUDIT: Tue Jun 18 07:33:47 2013: 20546: client 15 disconnected
[316031.299] AUDIT: Tue Jun 18 07:33:47 2013: 20546: client 12 disconnected

###########
/var/log/gdm/\:0.log

AUDIT: Tue Jun 18 07:32:55 2013: 17438: client 11 connected from local host ( uid=0 gid=0 pid=17436 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 17 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 21 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 18 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 15 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 5 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 20 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 8 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 16 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 7 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 10 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 4 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 9 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 6 disconnected
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 4 connected from local host ( uid=0 gid=0 pid=20521 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:15 2013: 17438: client 4 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 connected from local host ( uid=907001104 gid=907001104 pid=20525 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 connected from local host ( uid=907001104 gid=907001104 pid=20526 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 connected from local host ( uid=907001104 gid=907001104 pid=20528 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 5 connected from local host ( uid=907001104 gid=907001104 pid=20531 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 6 connected from local host ( uid=907001104 gid=907001104 pid=20536 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 270
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 6 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 1 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 2 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 3 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 4 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 5 disconnected
AUDIT: Tue Jun 18 07:33:16 2013: 17438: client 11 disconnected
(II) evdev: ImExPS/2 Generic Explorer Mouse: Close
(II) evdev: Macintosh mouse button emulation: Close
(II) evdev: Power Button: Close
(II) evdev: AT Translated Set 2 keyboard: Close
Server terminated successfully (0). Closing log file.


###########
/var/log/gdm/\:0-greeter.log:

Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x1c0002b (Login Wind) Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed. Window manager warning: CurrentTime used to choose focus window; focus window may not be correct. Window manager warning: Got a request to focus the no_focus_window with a timestamp of 0. This shouldn't happen!


###########
/var/log/gdm/\:0-slave.log is empty

Thanks

Leah

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to