On Thu, May 29, 2014 at 11:20:37AM -0700, Scott Allen wrote: > Hi, > Having a particularly weird problem. We have moved from AD to freeIPA > recently and while there have been some bumps, most of the CentOS 6.2 boxes > make the transition successfully. Some background. > > The Linux boxes were joined to AD on Windows 2008R2 using samba/winbind. > When we moved from AD, boxes were not "removed" from AD, just disabled on > the server side. We scripted the necessary bits since we were moving to a > new subnet as well. The script runs "ipa-client-install -p admin --password > PASSWORD --enable-dns-updates -U" > > The machines were joined successfully to freeIPA and then added to > allow_all_hosts Host Group. > > On a workstation that was migrated, all users can successfully log in. > On a fresh install of CentOS6.2, only myself (admin_user) and a newly > created user (foo) can successfully log in. > > On this fresh install, 'david' is blocked but new user 'foo' is allowed. > > May 29 09:20:29 embassy419 polkitd(authority=local): Registered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 > (system bus name :1.26 [/usr/libexec/polkit-gnome-authentication-agent-1], > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > May 29 09:20:46 embassy419 pam: gdm-password[2910]: > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > tty=:0 ruser= rhost= user=david > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > tty=:0 ruser= rhost= user=david > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting > user credentials) > May 29 10:44:06 embassy419 polkitd(authority=local): Registered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > (system bus name :1.88 [/usr/libexec/polkit-gnome-authentication-agent-1], > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > May 29 10:44:13 embassy419 pam: gdm-password[3956]: > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > tty=:1 ruser= rhost= user=foo > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 > tty=:1 ruser= rhost= user=foo > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > pam_unix(gdm-password:session): session opened for user foo by (uid=0) > May 29 10:44:15 embassy419 polkitd(authority=local): Unregistered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > (system bus name :1.88, object path > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > (disconnected from bus) > > But on this machine that was migrated. > pam: gdm-password[14145]: pam_unix(gdm-password:auth): authentication > failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > tty=:1 ruser= rhost= user=david > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting > user credentials) > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_winbind(gdm-password:auth): getting password (0x00000010) > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_winbind(gdm-password:auth): pam_get_item returned a password > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: > pam_winbind(gdm-password:auth): user 'david' granted access > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: > pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave > WBC_ERR_DOMAIN_NOT_FOUND > May 29 10:42:10 Embassy426 pam: gdm-password[14145]: > pam_unix(gdm-password:session): session opened for user david by (uid=0)
As Dmitri already said, on the migrated systems winbind is still used and doing the authentication which is still talking ot AD. But you can see the same error from pam_sss 'Preauthentication failed' which typically is an indication that the password is wrong. How did you migrate the passwords from AD to IPA? bye, Sumit > May 29 10:42:10 Embassy426 polkitd(authority=local): Unregistered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > (system bus name :1.85, object path > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > (disconnected from bus) _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
