On Thu, Jun 05, 2014 at 03:11:00PM -0700, Scott Allen wrote: > Found the problem. The users were added by a custom script that didn't > prompt for passwords. As such, the user's were in IPA and enabled but not > able to login as they never had a initial password set. So on migrated > machines it fell through to winbind and somehow found the old AD server.
Great, thank you for the feedback. I would recommend to remove the winbind entries from PAM and NSS configuration after the migration is finished. bye, Sumit > > > On Thu, Jun 5, 2014 at 1:47 PM, Scott Allen <[email protected]> > wrote: > > > Hi, > > I didn't migrate the passwords. All users started with a new default on > > IPA. > > The new user foo doesn't exist on the AD system but can login successfully > > using IPA credentials on a migrated system. > > > > > > On Fri, May 30, 2014 at 12:35 AM, Sumit Bose <[email protected]> wrote: > > > >> On Thu, May 29, 2014 at 11:20:37AM -0700, Scott Allen wrote: > >> > Hi, > >> > Having a particularly weird problem. We have moved from AD to freeIPA > >> > recently and while there have been some bumps, most of the CentOS 6.2 > >> boxes > >> > make the transition successfully. Some background. > >> > > >> > The Linux boxes were joined to AD on Windows 2008R2 using samba/winbind. > >> > When we moved from AD, boxes were not "removed" from AD, just disabled > >> on > >> > the server side. We scripted the necessary bits since we were moving to > >> a > >> > new subnet as well. The script runs "ipa-client-install -p admin > >> --password > >> > PASSWORD --enable-dns-updates -U" > >> > > >> > The machines were joined successfully to freeIPA and then added to > >> > allow_all_hosts Host Group. > >> > > >> > On a workstation that was migrated, all users can successfully log in. > >> > On a fresh install of CentOS6.2, only myself (admin_user) and a newly > >> > created user (foo) can successfully log in. > >> > > >> > On this fresh install, 'david' is blocked but new user 'foo' is allowed. > >> > > >> > May 29 09:20:29 embassy419 polkitd(authority=local): Registered > >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 > >> > (system bus name :1.26 > >> [/usr/libexec/polkit-gnome-authentication-agent-1], > >> > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale > >> en_US.UTF-8) > >> > May 29 09:20:46 embassy419 pam: gdm-password[2910]: > >> > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 > >> euid=0 > >> > tty=:0 ruser= rhost= user=david > >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > >> > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > >> > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 > >> euid=0 > >> > tty=:0 ruser= rhost= user=david > >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > >> > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting > >> > user credentials) > >> > May 29 10:44:06 embassy419 polkitd(authority=local): Registered > >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > >> > (system bus name :1.88 > >> [/usr/libexec/polkit-gnome-authentication-agent-1], > >> > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale > >> en_US.UTF-8) > >> > May 29 10:44:13 embassy419 pam: gdm-password[3956]: > >> > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 > >> euid=0 > >> > tty=:1 ruser= rhost= user=foo > >> > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > >> > pam_sss(gdm-password:auth): authentication success; logname= uid=0 > >> euid=0 > >> > tty=:1 ruser= rhost= user=foo > >> > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > >> > pam_unix(gdm-password:session): session opened for user foo by (uid=0) > >> > May 29 10:44:15 embassy419 polkitd(authority=local): Unregistered > >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > >> > (system bus name :1.88, object path > >> > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > >> > (disconnected from bus) > >> > > >> > But on this machine that was migrated. > >> > pam: gdm-password[14145]: pam_unix(gdm-password:auth): authentication > >> > failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david > >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > >> > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > >> > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 > >> euid=0 > >> > tty=:1 ruser= rhost= user=david > >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > >> > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting > >> > user credentials) > >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > >> > pam_winbind(gdm-password:auth): getting password (0x00000010) > >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > >> > pam_winbind(gdm-password:auth): pam_get_item returned a password > >> > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: > >> > pam_winbind(gdm-password:auth): user 'david' granted access > >> > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: > >> > pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave > >> > WBC_ERR_DOMAIN_NOT_FOUND > >> > May 29 10:42:10 Embassy426 pam: gdm-password[14145]: > >> > pam_unix(gdm-password:session): session opened for user david by (uid=0) > >> > >> As Dmitri already said, on the migrated systems winbind is still used > >> and doing the authentication which is still talking ot AD. But you can > >> see the same error from pam_sss 'Preauthentication failed' which > >> typically is an indication that the password is wrong. > >> > >> How did you migrate the passwords from AD to IPA? > >> > >> bye, > >> Sumit > >> > >> > May 29 10:42:10 Embassy426 polkitd(authority=local): Unregistered > >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > >> > (system bus name :1.85, object path > >> > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > >> > (disconnected from bus) > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> [email protected] > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > > > > > > > > -- > > Scott Allen > > Head of IT > > The Embassy Visual Effects Inc. > > 4th Floor - 177 W 7th Avenue > > Vancouver, B.C. > > V5Y 1L8 > > 604.696.6862 ext 241 > > > > > > -- > Scott Allen > Head of IT > The Embassy Visual Effects Inc. > 4th Floor - 177 W 7th Avenue > Vancouver, B.C. > V5Y 1L8 > 604.696.6862 ext 241 > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
