yes right. ipa trust relation with AD and subdomain AD. yes gde produce log


On Wed, Aug 20, 2014 at 5:27 PM, Dmitri Pal <d...@redhat.com> wrote:

>  On 08/20/2014 01:45 PM, alireza baghery wrote:
>
>  hi
>     Having a particularly weird problem. We have moved from AD(windows
> 2008 R2)
>     to ipa server(centos 6.5). and i integrated ipa with AD
>     machine linux joined with ipa and machine windowse joined with AD.
>     users AD  can loggin in cli mode in system linux (centos 6.5)
>     but can not in GUI mod loggin
>
>
>
> Do I get it right:
>
> User from AD walks to a desktop console of the Linux system joined into
> IPA that is in trust relations with AD and the GDE produces the following
> log?
>
>
>      error message in file /var/log/security
>
> ----------------------------------------------------------------------------------
>     pam: gdm-password[2685]: pam_unix(gdm-password:auth):
>     authentication failure: logname= uid=0 euid=0 tty=:0 ruser= rhost=
>     rhost= user=sallea@AD
>     pam: gdm-password[2685]: pam_sss(gdm-password:auth):
>     user info message: your password will expire in 40 day
>     pam: gdm-password[2685]:pam_sss(
> gdm-password:auth):
>     authenticate success:  logname= uid=0 euid=0 tty=:0 ruser= rhost=
>     rhost= user=sallea@AD
>     pam: gdm-password[2685]:pam_unix (gdm-password:session):
>     session opened for user sallea@AD by (uid=0)
>     polkitd(authority=local): Unregistered Authentication
>     Agent for session /org/freedesktop/ConsoleKit/Session4 (system bus
>     name :1.116 , object path /org/gnome/PolcyKit1/AuthenticationAgent,
>
> - Ignored:
>     local en_US) (disconnected from bus)
>
>     pam: gdm-password[2685]: pam_unix (gdm-password:session):
>     session closed for user sallea@AD
>     ------------------------------------------------------
>
>     and context file /etc/pam.d/password-auth
>     -----------------------------------
>     auth        required      pam_env.so
>     auth        sufficient    pam_unix.so nullok try_first_pass
>     auth        requisite     pam_succeed_if.so uid >= 500 quiet
>     auth        sufficient    pam_sss.so use_first_pass
>     auth        required      pam_deny.so
>
>     account     required      pam_unix.so
>     account     sufficient    pam_localuser.so
>     account     sufficient    pam_succeed_if.so uid < 500 quiet
>     account     [default=bad success=ok user_unknown=ignore] pam_sss.so
>     account     required      pam_permit.so
>
>     password    requisite     pam_cracklib.so try_first_pass retry=3 type=
>     password    sufficient    pam_unix.so sha512 shadow nullok
>     try_first_pass use_authtok
>     password    sufficient    pam_sss.so use_authtok
>     password    required      pam_deny.so
>
>     session     optional      pam_keyinit.so revoke
>     session     required      pam_limits.so
>     session     [success=1 default=ignore] pam_succeed_if.so service in
>     crond quiet use_uid
>     session     required      pam_unix.so
>
>     session     require       pam_sss.so
>     --------------------------------------
>     how to solve this problem?
>     thanks
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to