[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications
On Mon, Jan 15, 2018 at 09:12:01AM +0100, Johan Vermeulen wrote: > Jakub, > > it could be that lightdm now only display EM. But on Centos7.3 everything > worked. > I tested further and with the same setup but with GDM this works. I get > passwd expired and other messages. > > Before posting on this mailing list I posted on Lightdm mailing list but > got no response. > Does anybody know how to get hold of these guys? No, sorry, have you considered filing a bug at https://launchpad.net/lightdm ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications
Jakub, it could be that lightdm now only display EM. But on Centos7.3 everything worked. I tested further and with the same setup but with GDM this works. I get passwd expired and other messages. Before posting on this mailing list I posted on Lightdm mailing list but got no response. Does anybody know how to get hold of these guys? Greetings, J. 2018-01-09 19:40 GMT+01:00 Jakub Hrozek : > On Tue, Jan 09, 2018 at 12:48:39PM +0100, Johan Vermeulen wrote: > > Hello Jakub, > > > > thanks for helping me out. > > > > It works in the console. when an expired user logs in via ctl-alt-f > he > > gets all the warnings. > > OK, then the warnings are even passed to lightdm.. > > Is there any chance lightdm doesn't display all PAM messages but only > those with errors? > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications
On Tue, Jan 09, 2018 at 12:48:39PM +0100, Johan Vermeulen wrote: > Hello Jakub, > > thanks for helping me out. > > It works in the console. when an expired user logs in via ctl-alt-f he > gets all the warnings. OK, then the warnings are even passed to lightdm.. Is there any chance lightdm doesn't display all PAM messages but only those with errors? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications
Hello Jakub, thanks for helping me out. It works in the console. when an expired user logs in via ctl-alt-f he gets all the warnings. I will try to increase pam verbosity and report back. Greetings, J. 2018-01-08 14:59 GMT+01:00 Jakub Hrozek : > On Mon, Jan 08, 2018 at 11:27:47AM +0100, Johan Vermeulen wrote: > > Hello All, > > > > I "ve set up a new machine for this test and increased the log levels to > 6. > > Config for Freeipa-client is done with ipa-client-install, I use chrony > in > > stead of ntp and Selinux is enabled. > > > > When user logs in /var/log/secure indicates: > > > > [root@node1 ~]# tail -f /var/log/secure > > Jan 5 09:27:17 node1 lightdm: pam_sss(lightdm:auth): received for user > > jvanvlasselaer: 7 (Authentication failure) > > Jan 5 09:27:29 node1 lightdm: pam_sss(lightdm:auth): authentication > > failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jvanvlasselaer > > Jan 5 09:27:29 node1 lightdm: pam_sss(lightdm:auth): received for user > > jvanvlasselaer: 12 (Authentication token is no longer valid; new one > > required) > > Jan 5 09:27:29 node1 lightdm: pam_sss(lightdm:account): User info > message: > > Password expired. Change your password now. > > Jan 5 09:27:29 node1 lightdm: pam_unix(lightdm:chauthtok): user > > "jvanvlasselaer" does not exist in /etc/passwd > > > > But the lightdm gui screen indicates nothing. > > > > > (Fri Jan 5 09:27:29 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200): > > received: [12 (Authenticatietoken is niet langer geldig; nieuwe is > > vereist)][network.cawdekempen.be] > > (Fri Jan 5 09:27:29 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply > > called with result [12]: Authenticatietoken is niet langer geldig; nieuwe > > is vereist. > > (Fri Jan 5 09:27:29 2018) [sssd[pam]] [filter_responses] (0x0100): > > [pam_response_filter] not available, not fatal. > > (Fri Jan 5 09:27:29 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 39 > > Here I at least see that the message did reach the sssd_pam process and I > don't see anything that would indicate that the message was filtered out > (OTOH, the debugging is not stellar in this area of code..) > > I've never used lightdm, did you maybe test with some other login > method, like login to the console or su from another non-root user? > > Does it help to increase pam_verbosity in the [pam] section (see man > sssd.conf for a description) ? > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications
On Mon, Jan 08, 2018 at 11:27:47AM +0100, Johan Vermeulen wrote: > Hello All, > > I "ve set up a new machine for this test and increased the log levels to 6. > Config for Freeipa-client is done with ipa-client-install, I use chrony in > stead of ntp and Selinux is enabled. > > When user logs in /var/log/secure indicates: > > [root@node1 ~]# tail -f /var/log/secure > Jan 5 09:27:17 node1 lightdm: pam_sss(lightdm:auth): received for user > jvanvlasselaer: 7 (Authentication failure) > Jan 5 09:27:29 node1 lightdm: pam_sss(lightdm:auth): authentication > failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jvanvlasselaer > Jan 5 09:27:29 node1 lightdm: pam_sss(lightdm:auth): received for user > jvanvlasselaer: 12 (Authentication token is no longer valid; new one > required) > Jan 5 09:27:29 node1 lightdm: pam_sss(lightdm:account): User info message: > Password expired. Change your password now. > Jan 5 09:27:29 node1 lightdm: pam_unix(lightdm:chauthtok): user > "jvanvlasselaer" does not exist in /etc/passwd > > But the lightdm gui screen indicates nothing. > > (Fri Jan 5 09:27:29 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200): > received: [12 (Authenticatietoken is niet langer geldig; nieuwe is > vereist)][network.cawdekempen.be] > (Fri Jan 5 09:27:29 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply > called with result [12]: Authenticatietoken is niet langer geldig; nieuwe > is vereist. > (Fri Jan 5 09:27:29 2018) [sssd[pam]] [filter_responses] (0x0100): > [pam_response_filter] not available, not fatal. > (Fri Jan 5 09:27:29 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 39 Here I at least see that the message did reach the sssd_pam process and I don't see anything that would indicate that the message was filtered out (OTOH, the debugging is not stellar in this area of code..) I've never used lightdm, did you maybe test with some other login method, like login to the console or su from another non-root user? Does it help to increase pam_verbosity in the [pam] section (see man sssd.conf for a description) ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications
On Thu, Jan 04, 2018 at 11:30:22AM +0100, Johan Vermeulen via FreeIPA-users wrote: > Hello, > > apologies for the late reply, due to the holidays. > > I had a call from a user this morning, she had to do multiple login > attempts and reboot several times before she could login. > > Trying to follow > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html > > I assume the general setup works, as troubles only show up when password > expires. > On the users laptop: > > [root@lremijsen ~]# systemctl status sssd > ● sssd.service - System Security Services Daemon >Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor > preset: disabled) > Drop-In: /etc/systemd/system/sssd.service.d >└─journal.conf >Active: active (running) since do 2018-01-04 08:42:01 CET; 2h 35min ago > Process: 730 ExecStart=/usr/sbin/sssd -D -f (code=exited, > status=0/SUCCESS) > Main PID: 757 (sssd) >CGroup: /system.slice/sssd.service >├─757 /usr/sbin/sssd -D -f >├─767 /usr/libexec/sssd/sssd_be --domain network.cawdekempen.be > --uid 0 --gid 0 --debug-to-files >├─774 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files >├─775 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 > --debug-to-files >├─776 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files >├─777 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files >└─778 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files > > jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI > client step 1 > jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI > client step 2 > jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI > client step 1 > jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI > client step 1 > jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI > client step 1 > jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI > client step 2 > jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI > client step 1 > jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI > client step 1 > jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI > client step 1 > jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI > client step 2 > > In /var/log/secure there is always a clear message that the password is > expired: > > Jan 4 10:06:13 lremijsen mate-screensaver-dialog: > pam_sss(mate-screensaver:auth): authentication failure; logname= > uid=382900705 euid=382900705 tty=:0.0 ruser= rhost= user=lremijsen > Jan 4 10:06:13 lremijsen mate-screensaver-dialog: > pam_sss(mate-screensaver:auth): received for user lremijsen: 12 > (Authenticatietoken is niet langer geldig; nieuwe is vereist) > Jan 4 10:06:14 lremijsen mate-screensaver-dialog: > pam_sss(mate-screensaver:account): User info message: Wachtwoord verlopen. > Verander nu uw wachtwoord. > > sssd_pam.log only shows: > > (Tue Jan 2 13:05:46 2018) [sssd[pam]] [orderly_shutdown] (0x0010): > SIGTERM: killing children > >sssd_network.cawdekempen.be.log only shows: > > (Tue Jan 2 13:05:46 2018) [sssd[be[network.cawdekempen.be]]] > [orderly_shutdown] (0x0010): SIGTERM: killing children > > I suppose I have to increase the log levels? Yes, by default, SSSD doesn't log much. I think you would need especially the pam and domain service debug logs. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications
Hello, apologies for the late reply, due to the holidays. I had a call from a user this morning, she had to do multiple login attempts and reboot several times before she could login. Trying to follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html I assume the general setup works, as troubles only show up when password expires. On the users laptop: [root@lremijsen ~]# systemctl status sssd ● sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/sssd.service.d └─journal.conf Active: active (running) since do 2018-01-04 08:42:01 CET; 2h 35min ago Process: 730 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS) Main PID: 757 (sssd) CGroup: /system.slice/sssd.service ├─757 /usr/sbin/sssd -D -f ├─767 /usr/libexec/sssd/sssd_be --domain network.cawdekempen.be --uid 0 --gid 0 --debug-to-files ├─774 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files ├─775 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files ├─776 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files ├─777 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files └─778 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 10:37:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 2 jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 10:52:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 10:52:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 2 jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 11:07:45 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 1 jan 04 11:07:46 lremijsen.network.cawdekempen.be sssd_be[767]: GSSAPI client step 2 In /var/log/secure there is always a clear message that the password is expired: Jan 4 10:06:13 lremijsen mate-screensaver-dialog: pam_sss(mate-screensaver:auth): authentication failure; logname= uid=382900705 euid=382900705 tty=:0.0 ruser= rhost= user=lremijsen Jan 4 10:06:13 lremijsen mate-screensaver-dialog: pam_sss(mate-screensaver:auth): received for user lremijsen: 12 (Authenticatietoken is niet langer geldig; nieuwe is vereist) Jan 4 10:06:14 lremijsen mate-screensaver-dialog: pam_sss(mate-screensaver:account): User info message: Wachtwoord verlopen. Verander nu uw wachtwoord. sssd_pam.log only shows: (Tue Jan 2 13:05:46 2018) [sssd[pam]] [orderly_shutdown] (0x0010): SIGTERM: killing children sssd_network.cawdekempen.be.log only shows: (Tue Jan 2 13:05:46 2018) [sssd[be[network.cawdekempen.be]]] [orderly_shutdown] (0x0010): SIGTERM: killing children I suppose I have to increase the log levels? Many many thanks for the help! greetings, J. 2017-12-21 22:01 GMT+01:00 Jakub Hrozek via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > This sounds like a bug, could you follow https://docs.pagure.org/SSSD. > sssd/users/troubleshooting.html, gather logs from the pam and domain > sections and post them here? If the password is expired, then pam_sss > should send a message to the login manager which the login manager should > display. > > The logs would at least show if the deamon is sending the message to > pam_sss… > > > On 21 Dec 2017, at 09:39, Johan Vermeulen via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > > Hello All, > > > > We run some 200 Centos7/Mate laptops, since last year they authenticate > against freeipa. > > Lightdm/Mate are installed using epel repo. > > > > On Centos7.3/Lightdm 1.10.6-4.el7 things were al right, when a password > expired, users would get the passwd expired field, the "new password" field > en warnings if the made a mistake. > > Since upgrading to Centos7.4/Lightdm 1.25.0-1.el7 things go terribly > wrong. Users very often get no warning if a password expired, just an > authentication failure. > > Or they get no message at all. > > > > If at that point you got to ttyand log in you do get the warnings on > the command line. > > The log files /var/log/secure also give clear password expired messages, > only the user sees nothing. > > > > This is a big problem because users cannot login and cannot work without > interventions. > > > > Many thanks for any help. > > > > Greetings, J. > > ___ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-leave@lists. > fedorahosted.org > ___ > FreeIPA-users mai
[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications
Upgrading from 7.3 to 7.4 caused inability to login to gnome environment for me and I made fresh install all workstations of Centos/RHEL/Oracle Linux manually. Anvar Kuchkartaev an...@aegisnet.eu Original Message From: Stephen Berg (Contractor, Code 7320) via FreeIPA-users Sent: jueves, 21 de diciembre de 2017 11:58 To: freeipa-users@lists.fedorahosted.org Reply To: FreeIPA users list Cc: Stephen Berg (Contractor, Code 7320) Subject: [Freeipa-users] Re: Centos7.4: users not seeing password expired notifications On 12/21/2017 02:39 AM, Johan Vermeulen via FreeIPA-users wrote: > Hello All, > > We run some 200 Centos7/Mate laptops, since last year they authenticate > against freeipa. > Lightdm/Mate are installed using epel repo. > > On Centos7.3/Lightdm 1.10.6-4.el7 things were al right, when a password > expired, users would get the passwd expired field, the "new password" field > en warnings if the made a mistake. > Since upgrading to Centos7.4/Lightdm 1.25.0-1.el7 things go terribly wrong. > Users very often get no warning if a password expired, just an > authentication failure. > Or they get no message at all. > > If at that point you got to ttyand log in you do get the warnings on > the command line. > The log files /var/log/secure also give clear password expired messages, > only the user sees nothing. > > This is a big problem because users cannot login and cannot work without > interventions. > > Many thanks for any help. > > Greetings, J. If there's a solution for 7.4 using GDM and Gnome or KDE I'd be really interested. The lack of password expire warnings has caused a few annoyances for us as well. -- *Stephen Berg* Systems Administrator NRL Code: 7320 Office: 228-688-5738 stephen.berg@nrlssc.navy.mil NRL Logo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications
This sounds like a bug, could you follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html, gather logs from the pam and domain sections and post them here? If the password is expired, then pam_sss should send a message to the login manager which the login manager should display. The logs would at least show if the deamon is sending the message to pam_sss… > On 21 Dec 2017, at 09:39, Johan Vermeulen via FreeIPA-users > wrote: > > Hello All, > > We run some 200 Centos7/Mate laptops, since last year they authenticate > against freeipa. > Lightdm/Mate are installed using epel repo. > > On Centos7.3/Lightdm 1.10.6-4.el7 things were al right, when a password > expired, users would get the passwd expired field, the "new password" field > en warnings if the made a mistake. > Since upgrading to Centos7.4/Lightdm 1.25.0-1.el7 things go terribly wrong. > Users very often get no warning if a password expired, just an authentication > failure. > Or they get no message at all. > > If at that point you got to ttyand log in you do get the warnings on the > command line. > The log files /var/log/secure also give clear password expired messages, only > the user sees nothing. > > This is a big problem because users cannot login and cannot work without > interventions. > > Many thanks for any help. > > Greetings, J. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications
On 12/21/2017 02:39 AM, Johan Vermeulen via FreeIPA-users wrote: Hello All, We run some 200 Centos7/Mate laptops, since last year they authenticate against freeipa. Lightdm/Mate are installed using epel repo. On Centos7.3/Lightdm 1.10.6-4.el7 things were al right, when a password expired, users would get the passwd expired field, the "new password" field en warnings if the made a mistake. Since upgrading to Centos7.4/Lightdm 1.25.0-1.el7 things go terribly wrong. Users very often get no warning if a password expired, just an authentication failure. Or they get no message at all. If at that point you got to ttyand log in you do get the warnings on the command line. The log files /var/log/secure also give clear password expired messages, only the user sees nothing. This is a big problem because users cannot login and cannot work without interventions. Many thanks for any help. Greetings, J. If there's a solution for 7.4 using GDM and Gnome or KDE I'd be really interested. The lack of password expire warnings has caused a few annoyances for us as well. -- *Stephen Berg* Systems Administrator NRL Code: 7320 Office: 228-688-5738 stephen.berg@nrlssc.navy.mil NRL Logo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org