On 08/20/2014 01:45 PM, alireza baghery wrote:
Having a particularly weird problem. We have moved from AD(windows 2008 R2)
    to ipa server(centos 6.5). and i integrated ipa with AD
    machine linux joined with ipa and machine windowse joined with AD.
    users AD  can loggin in cli mode in system linux (centos 6.5)
    but can not in GUI mod loggin

Do I get it right:

User from AD walks to a desktop console of the Linux system joined into IPA that is in trust relations with AD and the GDE produces the following log?

    error message in file /var/log/security
    pam: gdm-password[2685]: pam_unix(gdm-password:auth):
    authentication failure: logname= uid=0 euid=0 tty=:0 ruser= rhost=
    rhost= user=sallea@AD
    pam: gdm-password[2685]: pam_sss(gdm-password:auth):
    user info message: your password will expire in 40 day
    pam: gdm-password[2685]:pam_sss(
    authenticate success:  logname= uid=0 euid=0 tty=:0 ruser= rhost=
    rhost= user=sallea@AD
    pam: gdm-password[2685]:pam_unix (gdm-password:session):
    session opened for user sallea@AD by (uid=0)
    polkitd(authority=local): Unregistered Authentication
    Agent for session /org/freedesktop/ConsoleKit/Session4 (system bus
    name :1.116 , object path /org/gnome/PolcyKit1/AuthenticationAgent,

- Ignored:
    local en_US) (disconnected from bus)

    pam: gdm-password[2685]: pam_unix (gdm-password:session):
    session closed for user sallea@AD

    and context file /etc/pam.d/password-auth
    auth        required      pam_env.so
    auth        sufficient    pam_unix.so nullok try_first_pass
    auth        requisite     pam_succeed_if.so uid >= 500 quiet
    auth        sufficient    pam_sss.so use_first_pass
    auth        required      pam_deny.so

    account     required      pam_unix.so
    account     sufficient    pam_localuser.so
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     [default=bad success=ok user_unknown=ignore] pam_sss.so
    account     required      pam_permit.so

    password    requisite     pam_cracklib.so try_first_pass retry=3 type=
    password    sufficient    pam_unix.so sha512 shadow nullok
    try_first_pass use_authtok
    password    sufficient    pam_sss.so use_authtok
    password    required      pam_deny.so

    session     optional      pam_keyinit.so revoke
    session     required      pam_limits.so
    session     [success=1 default=ignore] pam_succeed_if.so service in
    crond quiet use_uid
    session     required      pam_unix.so

    session     require       pam_sss.so
    how to solve this problem?

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to