On Thu, Jun 05, 2014 at 03:11:00PM -0700, Scott Allen wrote:
> Found the problem. The users were added by a custom script that didn't
> prompt for passwords. As such, the user's were in IPA and enabled but not
> able to login as they never had a initial password set. So on migrated
> machines it fell through to winbind and somehow found the old AD server.

Great, thank you for the feedback. I would recommend to remove the
winbind entries from PAM and NSS configuration after the migration is
finished.

bye,
Sumit

> 
> 
> On Thu, Jun 5, 2014 at 1:47 PM, Scott Allen <sal...@theembassyvfx.com>
> wrote:
> 
> > Hi,
> > I didn't migrate the passwords. All users started with a new default on
> > IPA.
> > The new user foo doesn't exist on the AD system but can login successfully
> > using IPA credentials on a migrated system.
> >
> >
> > On Fri, May 30, 2014 at 12:35 AM, Sumit Bose <sb...@redhat.com> wrote:
> >
> >> On Thu, May 29, 2014 at 11:20:37AM -0700, Scott Allen wrote:
> >> > Hi,
> >> > Having a particularly weird problem. We have moved from AD to freeIPA
> >> > recently and while there have been some bumps, most of the CentOS 6.2
> >> boxes
> >> > make the transition successfully. Some background.
> >> >
> >> > The Linux boxes were joined to AD on Windows 2008R2 using samba/winbind.
> >> > When we moved from AD, boxes were not "removed" from AD, just disabled
> >> on
> >> > the server side. We scripted the necessary bits since we were moving to
> >> a
> >> > new subnet as well. The script runs "ipa-client-install -p admin
> >> --password
> >> > PASSWORD --enable-dns-updates -U"
> >> >
> >> > The machines were joined successfully to freeIPA and then added to
> >> > allow_all_hosts Host Group.
> >> >
> >> > On a workstation that was migrated, all users can successfully log in.
> >> > On a fresh install of CentOS6.2, only myself (admin_user) and a newly
> >> > created user (foo) can successfully log in.
> >> >
> >> > On this fresh install, 'david' is blocked but new user 'foo' is allowed.
> >> >
> >> > May 29 09:20:29 embassy419 polkitd(authority=local): Registered
> >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session1
> >> > (system bus name :1.26
> >> [/usr/libexec/polkit-gnome-authentication-agent-1],
> >> > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
> >> en_US.UTF-8)
> >> > May 29 09:20:46 embassy419 pam: gdm-password[2910]:
> >> > pam_unix(gdm-password:auth): authentication failure; logname= uid=0
> >> euid=0
> >> > tty=:0 ruser= rhost=  user=david
> >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]:
> >> > pam_sss(gdm-password:auth): system info: [Preauthentication failed]
> >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]:
> >> > pam_sss(gdm-password:auth): authentication failure; logname= uid=0
> >> euid=0
> >> > tty=:0 ruser= rhost= user=david
> >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]:
> >> > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting
> >> > user credentials)
> >> > May 29 10:44:06 embassy419 polkitd(authority=local): Registered
> >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3
> >> > (system bus name :1.88
> >> [/usr/libexec/polkit-gnome-authentication-agent-1],
> >> > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale
> >> en_US.UTF-8)
> >> > May 29 10:44:13 embassy419 pam: gdm-password[3956]:
> >> > pam_unix(gdm-password:auth): authentication failure; logname= uid=0
> >> euid=0
> >> > tty=:1 ruser= rhost=  user=foo
> >> > May 29 10:44:14 embassy419 pam: gdm-password[3956]:
> >> > pam_sss(gdm-password:auth): authentication success; logname= uid=0
> >> euid=0
> >> > tty=:1 ruser= rhost= user=foo
> >> > May 29 10:44:14 embassy419 pam: gdm-password[3956]:
> >> > pam_unix(gdm-password:session): session opened for user foo by (uid=0)
> >> > May 29 10:44:15 embassy419 polkitd(authority=local): Unregistered
> >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3
> >> > (system bus name :1.88, object path
> >> > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
> >> > (disconnected from bus)
> >> >
> >> > But on this machine that was migrated.
> >> > pam: gdm-password[14145]: pam_unix(gdm-password:auth): authentication
> >> > failure; logname= uid=0 euid=0 tty=:1 ruser= rhost=  user=david
> >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]:
> >> > pam_sss(gdm-password:auth): system info: [Preauthentication failed]
> >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]:
> >> > pam_sss(gdm-password:auth): authentication failure; logname= uid=0
> >> euid=0
> >> > tty=:1 ruser= rhost= user=david
> >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]:
> >> > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting
> >> > user credentials)
> >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]:
> >> > pam_winbind(gdm-password:auth): getting password (0x00000010)
> >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]:
> >> > pam_winbind(gdm-password:auth): pam_get_item returned a password
> >> > May 29 10:42:09 Embassy426 pam: gdm-password[14145]:
> >> > pam_winbind(gdm-password:auth): user 'david' granted access
> >> > May 29 10:42:09 Embassy426 pam: gdm-password[14145]:
> >> > pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave
> >> > WBC_ERR_DOMAIN_NOT_FOUND
> >> > May 29 10:42:10 Embassy426 pam: gdm-password[14145]:
> >> > pam_unix(gdm-password:session): session opened for user david by (uid=0)
> >>
> >> As Dmitri already said, on the migrated systems winbind is still used
> >> and doing the authentication which is still talking ot AD. But you can
> >> see the same error from pam_sss 'Preauthentication failed' which
> >> typically is an indication that the password is wrong.
> >>
> >> How did you migrate the passwords from AD to IPA?
> >>
> >> bye,
> >> Sumit
> >>
> >> > May 29 10:42:10 Embassy426 polkitd(authority=local): Unregistered
> >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3
> >> > (system bus name :1.85, object path
> >> > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
> >> > (disconnected from bus)
> >>
> >> _______________________________________________
> >> Freeipa-users mailing list
> >> Freeipa-users@redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>
> >
> >
> >
> > --
> > Scott Allen
> > Head of IT
> > The Embassy Visual Effects Inc.
> > 4th Floor - 177 W 7th Avenue
> > Vancouver, B.C.
> > V5Y 1L8
> > 604.696.6862 ext 241
> >
> 
> 
> 
> -- 
> Scott Allen
> Head of IT
> The Embassy Visual Effects Inc.
> 4th Floor - 177 W 7th Avenue
> Vancouver, B.C.
> V5Y 1L8
> 604.696.6862 ext 241

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to