On Tue, Jun 18, 2013 at 08:00:02AM +0200, Leah Zimmermann wrote: > On 06/14/2013 09:08 AM, Sumit Bose wrote: > >On Thu, Jun 13, 2013 at 01:49:30PM +0200, Leah Zimmermann wrote: > >>Hello Sumit, > >>Hello List Members, > >> > >>Am 13.06.2013 09:18, schrieb Sumit Bose: > >>>On Wed, Jun 12, 2013 at 02:04:33PM +0200, Leah Zimmermann wrote: > >>>>Am 12.06.2013 12:03, schrieb Sumit Bose: > >>>>>On Wed, Jun 12, 2013 at 11:42:23AM +0200, Leah Zimmermann wrote: > >>>>>>Dear List Members, > >>>>>> > >>>>>>I have a FreeIPA-Domain on a CentOS 6.4 machine. It is in a trusted > >>>>>>relationship to an AD-Domain. > >>>>>>The users of the AD-Domain can login via ssh- or console-login. Then > >>>>>>they can start the gnome desktop manually. But if they login via gdm > >>>>>>they logged out immediatly. > >>>>>Which name style are you using 'AD_NETBIOS\username' or > >>>>>'username@AD_DOMAIN' ? If you only tried one can you try the other? > >>>>until now I tried only 'username@AD_DOMAIN', but > >>>>'AD_NETBIOS\username' does not work as well. > >>>>>If this does not help, please send the relevant section of > >>>>>/var/Log/secure and the sssd logs with a high debug level. > >>>>> > >>>>> > >>>>As far as I can see, both styles causing the same results. > >>>> > >>>>Jun 12 13:27:56 ipa_hostname pam: gdm-password: > >>>>pam_unix(gdm-password:auth): authentication failure; logname= uid=0 > >>>>euid=0 tty=:0 ruser= rhost= user=leah@AD_DOMAIN > >>>>Jun 12 13:27:57 ipa_hostname pam: gdm-password: > >>>>pam_sss(gdm-password:auth): authentication success; logname= uid=0 > >>>>euid=0 tty=:0 ruser= rhost= user=leah@AD_DOMAIN > >>>>Jun 12 13:27:57 ipa_hostname pam: gdm-password: > >>>>pam_unix(gdm-password:session): session opened for user > >>>>leah@AD_DOMAIN by (uid=0) > >>>>Jun 12 13:27:57 ipa_hostname polkitd(authority=local): Unregistered > >>>>Authentication Agent for session > >>>>/org/freedesktop/ConsoleKit/Session25 (system bus name :1.265, > >>>>object path /org/gnome/PolicyKit1/AuthenticationAgent, locale > >>>>de_DE.UTF-8) (disconnected from bus) > >>>>Jun 12 13:27:58 ipa_hostname pam: gdm-password: > >>>>pam_unix(gdm-password:session): session closed for user > >>>>leah@AD_DOMAIN > >>>>Jun 12 13:27:59 ipa_hostname polkitd(authority=local): Registered > >>>>Authentication Agent for session > >>>>/org/freedesktop/ConsoleKit/Session27 (system bus name :1.275 > >>>>[/usr/libexec/polkit-gnome-authentication-agent-1], object path > >>>>/org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8) > >>>> > >>>> > >>>>Jun 12 13:32:56 ipa_hostname pam: gdm-password: > >>>>pam_unix(gdm-password:auth): authentication failure; logname= uid=0 > >>>>euid=0 tty=:0 ruser= rhost= user=AD_NETBIOS\leah > >>>>Jun 12 13:32:58 ipa_hostname pam: gdm-password: > >>>>pam_sss(gdm-password:auth): authentication success; logname= uid=0 > >>>>euid=0 tty=:0 ruser= rhost= user=AD_NETBIOS\leah > >>>>Jun 12 13:32:58 ipa_hostname pam: gdm-password: > >>>>pam_unix(gdm-password:session): session opened for user > >>>>AD_NETBIOS\leah by (uid=0) > >>>>Jun 12 13:32:58 ipa_hostname polkitd(authority=local): Unregistered > >>>>Authentication Agent for session > >>>>/org/freedesktop/ConsoleKit/Session27 (system bus name :1.275, > >>>>object path /org/gnome/PolicyKit1/AuthenticationAgent, locale > >>>>de_DE.UTF-8) (disconnected from bus) > >>>>Jun 12 13:32:58 ipa_hostname pam: gdm-password: > >>>>pam_unix(gdm-password:session): session closed for user > >>>>AD_NETBIOS\leah > >>>>Jun 12 13:32:59 ipa_hostname polkitd(authority=local): Registered > >>>>Authentication Agent for session > >>>>/org/freedesktop/ConsoleKit/Session29 (system bus name :1.285 > >>>>[/usr/libexec/polkit-gnome-authentication-agent-1], object path > >>>>/org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8) > >>>> > >>>>May be the Unregistered Authentication Agent is the problem. But > >>>>what I have missed to do? > >>>Do you have SELinux enabled? Can you check if there any audit messages > >>>with DELinux denials? Can you check if the SELinux context of the users > >>>home directory is right? > >>SELinux is disabled by setting SELINUX=disabled in /etc/sysconfig/selinux. > >>I did that already, for eleminating this as the source of difficulties. > >>I'm sorry. May be, I should have mentioned this earlier. > >> > >>If I set it to permissive mode I get > >> > >>drwxr-xr-x. leah@ad_domain leah@ad_domain > >>unconfined_u:object_r:user_home_t:s0 leah > >>drwxr-xr-x. user_xy@ad_domain user_xy@ad_domain > >>unconfined_u:object_r:user_home_t:s0 user_xy > >>... > >> > >>All home directories of AD-Users looks like this. > >The labels look good. Since this issue seems to be happen during the > >open-session PAM step I'm quite confident that it is not related to > >FreeIPA or SSSD, because they do not handle open-session. Do the log > >files in /var/log/gdm contain any other information? Can you send your > >gdm-passwd PAM configuration file and all include ones (password-auth) > >to see if there is anything odd? > > ok, here are the files. Hopefully I haven't missed shomething. I cut > out only the lines, which are appearing as soon as i logged in. The > complete logs are really huge. >
The PAM config looks ok and I didn't found anything obvious in the logs, maybe except the odd looking message in :0-greeter.log. But I think they are not critical. Have you tried if a gdm login with an IPA user is working on this client? bye, Sumit > > ########### > /var/log/gdm/\:0-greeter.log: > > Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW > message with a timestamp of 0 for 0x1c0002b (Login Wind) > Window manager warning: meta_window_activate called by a pager with > a 0 timestamp; the pager needs to be fixed. > Window manager warning: CurrentTime used to choose focus window; > focus window may not be correct. > Window manager warning: Got a request to focus the no_focus_window > with a timestamp of 0. This shouldn't happen! > > > ########### > /var/log/gdm/\:0-slave.log is empty > > Thanks > > Leah > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
