Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa

2017-05-12 Thread tuxderlinuxfuch...@gmail.com 
It worked with pam_mkhomedir. So I don't see anything left to do at the
moment


On 12-May-17 12:52 PM, Sumit Bose wrote:
> On Fri, May 12, 2017 at 12:11:28PM +0200, tuxderlinuxfuch...@gmail.com wrote:
>> The directory didn't exist
> Then I guess that the process doesn't has the needed permissions during
> the session phase anymore. Please try to replace pam_mkhomedir by
> pam_oddjob_mkhomedir. This will try to create the directory via oddjobd
> which runs with higher privileges.
>
> HTH
>
> bye,
> Sumit
>
>>
>> On 12-May-17 11:48 AM, Sumit Bose wrote:
>>> On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuch...@gmail.com 
>>> wrote:
>>>> Thanks!
>>>>
>>>> I followed this manual:
>>>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir
>>>>
>>>> added the line
>>>>
>>>> sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022
>>>>
>>>> to the file /etc/pam.d/common-session (find attached)
>>>>
>>>>
>>> Have you checked if /home/vmuser1 exists and has the right permissions
>>> so that the user can create files in the directory?
>>>
>>> bye,
>>> Sumit
>>>
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa

2017-05-12 Thread tuxderlinuxfuch...@gmail.com 
The directory didn't exist


On 12-May-17 11:48 AM, Sumit Bose wrote:
> On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuch...@gmail.com wrote:
>> Thanks!
>>
>> I followed this manual:
>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir
>>
>> added the line
>>
>> sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022
>>
>> to the file /etc/pam.d/common-session (find attached)
>>
>>
> Have you checked if /home/vmuser1 exists and has the right permissions
> so that the user can create files in the directory?
>
> bye,
> Sumit
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa

2017-05-11 Thread tuxderlinuxfuch...@gmail.com 
I have attached the syslog with gdm debug mode enabled


On 11-May-17 1:54 PM, Sumit Bose wrote:
> On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuch...@gmail.com wrote:
>> Hello,
>>
>> I have attached the requested files.
> The logs indicate that access was granted by SSSD and that gdm even
> called pam_open_session.
>
> Did gdm login worked with the 'allow all' rule? Are there any other
> hints in the system or gdm logs with gdm might have failed?
>
> bye,
> Sumit
>
>> Thanks in advance!
>>
>> On 10-May-17 9:42 PM, Sumit Bose wrote:
>>> On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuch...@gmail.com 
>>> wrote:
>>>> Hello everyone,
>>>>
>>>> I set up my freeIPA instance and it works very well for my client
>>>> computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a
>>>> freeIPA managed user account.
>>>>
>>>> My own HBAC rule also works for that. I disabled the "allow all" rule
>>>> and created my own one. Works fine for SSH.
>>>>
>>>> But I cannot login to the GNOME 3 Desktop on the client. I used the
>>>> netinstall ISO image of Ubuntu. During installation, I have chose
>>>> "Ubuntu GNOME Desktop" as the only desktop.
>>>>
>>>> So my display manager is gdm3.
>>>>
>>>> I added the "gdm" and "gdm-password" services to my HBAC rule. To be on
>>>> the safe side, I rebooted the client machine. But I still can't login to
>>>> the GNOME Desktop with an account that can login via SSH.
>>>>
>>>> So the services in my rule are
>>>>
>>>> login, gdm, gdm-password
>>>>
>>>> If you need any logs or other information, I will provide them.
>>> Please send sssd_pam.log and sssd_domain.name.log with debug_level=10 in
>>> the [pam] and [domain/...] section of sssd.conf.
>>>
>>> bye,
>>> Sumit
>>>
>>>> Thanks in advance!
>>>>
>>>>
>>>>
>>>>
>>>> -- 
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project


May 11 23:41:44 ubugdm systemd[1189]: Time has been changed
May 11 23:41:44 ubugdm systemd[1387]: Time has been changed
May 11 23:41:44 ubugdm systemd[1]: Time has been changed
May 11 23:41:44 ubugdm systemd[1]: snapd.refresh.timer: Adding 1h 29min 
52.376524s random time.
May 11 23:41:44 ubugdm systemd[1]: snapd.refresh.timer: Adding 3h 33min 
1.143840s random time.
May 11 23:41:44 ubugdm systemd[1]: apt-daily.timer: Adding 9h 27min 47.330771s 
random time.
May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: 
got resume for 13:68
May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (WW) FBDEV(0): 
FBIOPAN_DISPLAY: Invalid argument
May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: 
got resume for 13:67
May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: 
got resume for 13:66
May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: 
got resume for 13:65
May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: 
gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive
May 11 23:41:48 ubugdm gnome-session-binary[1204]: DEBUG(+): emitting 
SessionIsActive
May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: 
got resume for 13:64
May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: 
(gnome-settings-daemon:1225): color-plugin-WARNING **: unable to get EDID for 
xrandr-default: unable to get EDID for output
May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap 
compiler (xkbcomp) reports:
May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning:  
Type "ONE_LEVEL" has 1 levels, but  has 2 symbols
May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: >   
Ignoring extra symbols
May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp 
are not fatal to the X server
May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap 
compiler (xkbcomp) reports:
May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning:  
Type "ONE_LEVEL" has 1 levels, but  has 2 symbols
May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: >   
Ignoring extra symbols
May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp 
are not fatal to the X server
May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session

[Freeipa-users] Authenticate on GNOME display manager with freeipa

2017-05-09 Thread tuxderlinuxfuch...@gmail.com 
Hello everyone,

I set up my freeIPA instance and it works very well for my client
computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a
freeIPA managed user account.

My own HBAC rule also works for that. I disabled the "allow all" rule
and created my own one. Works fine for SSH.

But I cannot login to the GNOME 3 Desktop on the client. I used the
netinstall ISO image of Ubuntu. During installation, I have chose
"Ubuntu GNOME Desktop" as the only desktop.

So my display manager is gdm3.

I added the "gdm" and "gdm-password" services to my HBAC rule. To be on
the safe side, I rebooted the client machine. But I still can't login to
the GNOME Desktop with an account that can login via SSH.

So the services in my rule are

login, gdm, gdm-password

If you need any logs or other information, I will provide them.


Thanks in advance!




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project