On 08/20/2014 04:29 PM, alireza baghery wrote:
yes right. ipa trust relation with AD and subdomain AD. yes gde produce log


It seems that you have some custom polkit policy that fails to load. Did you play with some polkit policies?



On Wed, Aug 20, 2014 at 5:27 PM, Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>> wrote:

    On 08/20/2014 01:45 PM, alireza baghery wrote:
    hi
        Having a particularly weird problem. We have moved from
    AD(windows 2008 R2)
        to ipa server(centos 6.5). and i integrated ipa with AD
        machine linux joined with ipa and machine windowse joined
    with AD.
        users AD  can loggin in cli mode in system linux (centos 6.5)
        but can not in GUI mod loggin


    Do I get it right:

    User from AD walks to a desktop console of the Linux system joined
    into IPA that is in trust relations with AD and the GDE produces
    the following log?


        error message in file /var/log/security
    
----------------------------------------------------------------------------------
        pam: gdm-password[2685]: pam_unix(gdm-password:auth):
        authentication failure: logname= uid=0 euid=0 tty=:0 ruser=
    rhost=
        rhost= user=sallea@AD
        pam: gdm-password[2685]: pam_sss(gdm-password:auth):
        user info message: your password will expire in 40 day
        pam: gdm-password[2685]:pam_sss(
    gdm-password:auth):
        authenticate success:  logname= uid=0 euid=0 tty=:0 ruser= rhost=
        rhost= user=sallea@AD
        pam: gdm-password[2685]:pam_unix (gdm-password:session):
        session opened for user sallea@AD by (uid=0)
        polkitd(authority=local): Unregistered Authentication
        Agent for session /org/freedesktop/ConsoleKit/Session4
    (system bus
        name :1.116 , object path
    /org/gnome/PolcyKit1/AuthenticationAgent,

    - Ignored:
        local en_US) (disconnected from bus)

        pam: gdm-password[2685]: pam_unix (gdm-password:session):
        session closed for user sallea@AD
    ------------------------------------------------------

        and context file /etc/pam.d/password-auth
        -----------------------------------
        auth        required      pam_env.so
        auth        sufficient    pam_unix.so nullok try_first_pass
        auth        requisite     pam_succeed_if.so uid >= 500 quiet
        auth        sufficient    pam_sss.so use_first_pass
        auth        required      pam_deny.so

        account     required      pam_unix.so
        account     sufficient    pam_localuser.so
        account     sufficient    pam_succeed_if.so uid < 500 quiet
        account     [default=bad success=ok user_unknown=ignore]
    pam_sss.so
        account     required      pam_permit.so

        password    requisite     pam_cracklib.so try_first_pass
    retry=3 type=
        password    sufficient    pam_unix.so sha512 shadow nullok
        try_first_pass use_authtok
        password    sufficient    pam_sss.so use_authtok
        password    required      pam_deny.so

        session     optional      pam_keyinit.so revoke
        session     required      pam_limits.so
        session     [success=1 default=ignore] pam_succeed_if.so
    service in
        crond quiet use_uid
        session     required      pam_unix.so

        session     require       pam_sss.so
        --------------------------------------
        how to solve this problem?
        thanks




-- Thank you,
    Dmitri Pal

    Sr. Engineering Manager IdM portfolio
    Red Hat, Inc.


    --
    Manage your subscription for the Freeipa-users mailing list:
    https://www.redhat.com/mailman/listinfo/freeipa-users
    Go To http://freeipa.org for more info on the project






--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to