I decided to reduce complexity and remove ldap from the equation, since it wasn't really utilized. I then updated the nsswitch.conf and pam.d confs accordingly.
Now, I have a single client machine (VM) that works as intended using gdm gui login. Strangely enough, I cannot make other clients to work, not even running the very same VM under another host. AFAIU, it's the authorization through gdm, that doesn't work. Logging in as a local user + kinit;aklog works fine. In the client that's successful, auth.log: Oct 2 12:21:51 hostname gdm-session-worker[1208]: pam_succeed_if(gdm:auth): requirement "user ingroup nopasswdlogin" not met by user "username" Oct 2 12:21:55 hostname gdm-session-worker[1208]: pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=username Oct 2 12:21:55 hostname gdm-session-worker[1208]: pam_krb5(gdm:auth): user username authenticated as [email protected] Oct 2 12:21:55 hostname gdm-session-worker[1208]: pam_unix(gdm:session): session opened for user username by (uid=0) Other clients pass authentication, but not authorization through gdm, and the login screen is returned. /gdm/:0-slave.log.1: gdm-session-worker[1135]: pam_succeed_if(gdm:auth): requirement "user ingroup nopasswdlogin" not met by user "username" gdm-session-worker[1135]: pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=username gdm-session-worker[1135]: pam_krb5(gdm:auth): user username authenticated as [email protected] gdm-session-worker[1135]: pam_unix(gdm:session): session opened for user username by (uid=0) gdm-simple-slave[749]: WARNING: Failed to add user authorization: could not find user "username" on system ** ERROR:gdm-simple-slave.c:397:start_session_timeout: assertion failed: (auth_file != NULL) The working client machine is much faster than the others, so it can be a timeout issue, but then again, I never had that issue in the old-domain setup. The rejection happens in just about 1-2 seconds. Any ideas what could be the cause and how to fix it? br, jukka _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
