On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuch...@gmail.com wrote: > Hello, > > I have attached the requested files.
The logs indicate that access was granted by SSSD and that gdm even called pam_open_session. Did gdm login worked with the 'allow all' rule? Are there any other hints in the system or gdm logs with gdm might have failed? bye, Sumit > > Thanks in advance! > > On 10-May-17 9:42 PM, Sumit Bose wrote: > > On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuch...@gmail.com > > wrote: > >> Hello everyone, > >> > >> I set up my freeIPA instance and it works very well for my client > >> computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a > >> freeIPA managed user account. > >> > >> My own HBAC rule also works for that. I disabled the "allow all" rule > >> and created my own one. Works fine for SSH. > >> > >> But I cannot login to the GNOME 3 Desktop on the client. I used the > >> netinstall ISO image of Ubuntu. During installation, I have chose > >> "Ubuntu GNOME Desktop" as the only desktop. > >> > >> So my display manager is gdm3. > >> > >> I added the "gdm" and "gdm-password" services to my HBAC rule. To be on > >> the safe side, I rebooted the client machine. But I still can't login to > >> the GNOME Desktop with an account that can login via SSH. > >> > >> So the services in my rule are > >> > >> login, gdm, gdm-password > >> > >> If you need any logs or other information, I will provide them. > > Please send sssd_pam.log and sssd_domain.name.log with debug_level=10 in > > the [pam] and [domain/...] section of sssd.conf. > > > > bye, > > Sumit > > > >> > >> Thanks in advance! > >> > >> > >> > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project