Re: x11/xdm with PAM and security/sssd2: not working

Wed, 25 Mar 2026 05:16:52 -0700 

Am Tage des Herren Mon, 23 Mar 2026 18:19:28 +0300
Gleb Popov <[email protected]> schrieb:

> On Mon, Mar 23, 2026 at 1:13 AM A FreeBSD User <[email protected]> wrote:
> >
> > Using pam_sss.so as described initially in /etc/pam.d/xdm:
> >
> > ohartmann@host [ohartmann]: pamtester xdm ohartmann authenticate
> > Password:
> > pamtester: successfully authenticated
> >
> > ohartmann@host [ohartmann]: pamtester xdm ohartmann acct_mgmt
> > pamtester: account management done.
> >
> > ohartmann@host [ohartmann]: pamtester xdm ohartmann open_session
> > Can't mkdir /var/run/xdg/pamtester: Session failure  
> 
> Re-run these checks as root, because this is how xdm runs PAM, if I
> understand it correctly.
> 

I did.
With nslcd disabled and sssd as LDAP connector enabled

root@host:~ # pamtester xdm ohartmann authenticate acct_mgmt open_session 
close_session
Password:
pamtester: successfully authenticated
pamtester: account management done.
pamtester: sucessfully opened a session
pamtester: session has successfully been closed.

In /usr/local/etc/sssd/sssd.conf I also tried to enable "debug_level = 6" - I 
never see in ANY
log file residing in /var/log more than (grep -r sssd /var/log):
[...]
 /var/log/sssd/sssd.log:Mar 25 09:59:22 <3.6> host sssd[6040]: Starting up
/var/log/sssd/sssd.log:Mar 25 09:59:22 <3.6> host sssd_be[6041]: Starting up
/var/log/sssd/sssd.log:Mar 25 09:59:23 <3.6> host sssd_nss[6042]: Starting up
/var/log/sssd/sssd.log:Mar 25 09:59:23 <3.6> host sssd_pam[6043]: Starting up

and as stated above, /var/log/auth
Mar 25 11:47:49 <10.5> host xdm[6906]: LOGIN FAILURE ON :0, ohartmann

Grepping for "xdm" doesn't show anything usuful, either.

Earlier, with LDAP object shadowAccount as part of any user object provided by 
OpenLDAP with
shadowXX attributes (even correctly set!) nslcd(!) reported via 
/var/log/auth.log and xdm:
[...]
 /var/log/auth.log:Mar 22 14:20:24 <10.5> host xdm[7504]: Password expired 
19075 days ago,
account locked 19061 days ago; user=ohartmann; err=Password has expired

while running sssd didn't. Login was always possible, by the way (console 
login/ssh). 

 That is only a small subset of useful or less useful (or stupid) permutations 
of
config combinations. I'm out of ideas and tend to consider the combination 
security/sssd2 and
x11/xdm as non-working.

Kind regards

Oliver


-- 

A FreeBSD user

Attachment: pgpVxrc4KwTuC.pgp
Description: OpenPGP digital signature

Reply via email to