On 08/20/2014 04:29 PM, alireza baghery wrote:
yes right. ipa trust relation with AD and subdomain AD. yes gde
produce log
It seems that you have some custom polkit policy that fails to load. Did
you play with some polkit policies?
On Wed, Aug 20, 2014 at 5:27 PM, Dmitri Pal <d...@redhat.com
<mailto:d...@redhat.com>> wrote:
On 08/20/2014 01:45 PM, alireza baghery wrote:
hi
Having a particularly weird problem. We have moved from
AD(windows 2008 R2)
to ipa server(centos 6.5). and i integrated ipa with AD
machine linux joined with ipa and machine windowse joined
with AD.
users AD can loggin in cli mode in system linux (centos 6.5)
but can not in GUI mod loggin
Do I get it right:
User from AD walks to a desktop console of the Linux system joined
into IPA that is in trust relations with AD and the GDE produces
the following log?
error message in file /var/log/security
----------------------------------------------------------------------------------
pam: gdm-password[2685]: pam_unix(gdm-password:auth):
authentication failure: logname= uid=0 euid=0 tty=:0 ruser=
rhost=
rhost= user=sallea@AD
pam: gdm-password[2685]: pam_sss(gdm-password:auth):
user info message: your password will expire in 40 day
pam: gdm-password[2685]:pam_sss(
gdm-password:auth):
authenticate success: logname= uid=0 euid=0 tty=:0 ruser= rhost=
rhost= user=sallea@AD
pam: gdm-password[2685]:pam_unix (gdm-password:session):
session opened for user sallea@AD by (uid=0)
polkitd(authority=local): Unregistered Authentication
Agent for session /org/freedesktop/ConsoleKit/Session4
(system bus
name :1.116 , object path
/org/gnome/PolcyKit1/AuthenticationAgent,
- Ignored:
local en_US) (disconnected from bus)
pam: gdm-password[2685]: pam_unix (gdm-password:session):
session closed for user sallea@AD
------------------------------------------------------
and context file /etc/pam.d/password-auth
-----------------------------------
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore]
pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass
retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so
service in
crond quiet use_uid
session required pam_unix.so
session require pam_sss.so
--------------------------------------
how to solve this problem?
thanks
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project