On Thu, May 29, 2014 at 11:20:37AM -0700, Scott Allen wrote:
> Hi,
> Having a particularly weird problem. We have moved from AD to freeIPA
> recently and while there have been some bumps, most of the CentOS 6.2 boxes
> make the transition successfully. Some background.
> 
> The Linux boxes were joined to AD on Windows 2008R2 using samba/winbind.
> When we moved from AD, boxes were not "removed" from AD, just disabled on
> the server side. We scripted the necessary bits since we were moving to a
> new subnet as well. The script runs "ipa-client-install -p admin --password
> PASSWORD --enable-dns-updates -U"
> 
> The machines were joined successfully to freeIPA and then added to
> allow_all_hosts Host Group.
> 
> On a workstation that was migrated, all users can successfully log in.
> On a fresh install of CentOS6.2, only myself (admin_user) and a newly
> created user (foo) can successfully log in.
> 
> On this fresh install, 'david' is blocked but new user 'foo' is allowed.
> 
> May 29 09:20:29 embassy419 polkitd(authority=local): Registered
> Authentication Agent for session /org/freedesktop/ConsoleKit/Session1
> (system bus name :1.26 [/usr/libexec/polkit-gnome-authentication-agent-1],
> object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
> May 29 09:20:46 embassy419 pam: gdm-password[2910]:
> pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0
> tty=:0 ruser= rhost=  user=david
> May 29 09:20:47 embassy419 pam: gdm-password[2910]:
> pam_sss(gdm-password:auth): system info: [Preauthentication failed]
> May 29 09:20:47 embassy419 pam: gdm-password[2910]:
> pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0
> tty=:0 ruser= rhost= user=david
> May 29 09:20:47 embassy419 pam: gdm-password[2910]:
> pam_sss(gdm-password:auth): received for user david: 17 (Failure setting
> user credentials)
> May 29 10:44:06 embassy419 polkitd(authority=local): Registered
> Authentication Agent for session /org/freedesktop/ConsoleKit/Session3
> (system bus name :1.88 [/usr/libexec/polkit-gnome-authentication-agent-1],
> object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
> May 29 10:44:13 embassy419 pam: gdm-password[3956]:
> pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0
> tty=:1 ruser= rhost=  user=foo
> May 29 10:44:14 embassy419 pam: gdm-password[3956]:
> pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0
> tty=:1 ruser= rhost= user=foo
> May 29 10:44:14 embassy419 pam: gdm-password[3956]:
> pam_unix(gdm-password:session): session opened for user foo by (uid=0)
> May 29 10:44:15 embassy419 polkitd(authority=local): Unregistered
> Authentication Agent for session /org/freedesktop/ConsoleKit/Session3
> (system bus name :1.88, object path
> /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
> (disconnected from bus)
> 
> But on this machine that was migrated.
> pam: gdm-password[14145]: pam_unix(gdm-password:auth): authentication
> failure; logname= uid=0 euid=0 tty=:1 ruser= rhost=  user=david
> May 29 10:42:08 Embassy426 pam: gdm-password[14145]:
> pam_sss(gdm-password:auth): system info: [Preauthentication failed]
> May 29 10:42:08 Embassy426 pam: gdm-password[14145]:
> pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0
> tty=:1 ruser= rhost= user=david
> May 29 10:42:08 Embassy426 pam: gdm-password[14145]:
> pam_sss(gdm-password:auth): received for user david: 17 (Failure setting
> user credentials)
> May 29 10:42:08 Embassy426 pam: gdm-password[14145]:
> pam_winbind(gdm-password:auth): getting password (0x00000010)
> May 29 10:42:08 Embassy426 pam: gdm-password[14145]:
> pam_winbind(gdm-password:auth): pam_get_item returned a password
> May 29 10:42:09 Embassy426 pam: gdm-password[14145]:
> pam_winbind(gdm-password:auth): user 'david' granted access
> May 29 10:42:09 Embassy426 pam: gdm-password[14145]:
> pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave
> WBC_ERR_DOMAIN_NOT_FOUND
> May 29 10:42:10 Embassy426 pam: gdm-password[14145]:
> pam_unix(gdm-password:session): session opened for user david by (uid=0)

As Dmitri already said, on the migrated systems winbind is still used
and doing the authentication which is still talking ot AD. But you can
see the same error from pam_sss 'Preauthentication failed' which
typically is an indication that the password is wrong.

How did you migrate the passwords from AD to IPA?

bye,
Sumit

> May 29 10:42:10 Embassy426 polkitd(authority=local): Unregistered
> Authentication Agent for session /org/freedesktop/ConsoleKit/Session3
> (system bus name :1.85, object path
> /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
> (disconnected from bus)

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to