Re: [Freeipa-users] login auth fails then success
On Tue, Sep 20, 2016 at 02:03:38PM +, Larry Rosen wrote: > Thanks, that explains a lot (I didn't catch the difference in auth services). > Would this be mitigated by putting sss in front of files in nsswitch.conf)? > > /etc/nsswitchconf: > passwd: files sss > shadow: files sss > group: files sss No, NSS is a separate interface. You can experiment with adding pam_localuser.so before pam_unix, though. btw this is how recent Fedora releases configure their PAM stack: authrequired pam_env.so authsufficientpam_fprintd.so auth[default=1 success=ok] pam_localuser.so auth[success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 1000 quiet_success authsufficientpam_sss.so forward_pass authrequired pam_deny.so But watch out, PAM stacks are inherently distro-specific and I don't remember what exactly you're running. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] login auth fails then success
Thanks, that explains a lot (I didn't catch the difference in auth services). Would this be mitigated by putting sss in front of files in nsswitch.conf)? /etc/nsswitchconf: passwd: files sss shadow: files sss group: files sss Date: Sun, 18 Sep 2016 22:14:59 +0200 From: Jakub Hrozek <jhro...@redhat.com> To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] login auth fails then success Message-ID: <20160918201459.uhijnc4gyfykgzic@hendrix> Content-Type: text/plain; charset=us-ascii On Fri, Sep 16, 2016 at 06:23:03PM +, Larry Rosen wrote: > Sorry I thought I had pasted these previously: > > What other logs do I need to add (maybe from the IPA server)? > > Client system's /var/log/secure: > > Sep 13 19:12:33 il10-app-xfs udcs: pam_unix(login:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:12:33 il10-app-xfs udcs: pam_sss(login:auth): > authentication success; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:18:11 il10-app-xfs udcs: pam_unix(login:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:18:11 il10-app-xfs udcs: pam_sss(login:auth): > authentication success; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:22:52 il10-app-xfs udcs: pam_unix(login:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:22:53 il10-app-xfs udcs: pam_sss(login:auth): > authentication success; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:23:49 il10-app-xfs udcs: pam_unix(login:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:23:49 il10-app-xfs udcs: pam_sss(login:auth): > authentication success; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:28:24 il10-app-xfs udcs: pam_unix(login:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:28:24 il10-app-xfs udcs: pam_sss(login:auth): > authentication success; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:29:27 il10-app-xfs udcs: pam_unix(login:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web Sep 13 19:29:27 il10-app-xfs udcs: pam_sss(login:auth): > authentication success; logname= uid=0 euid=0 tty= ruser= rhost= > user=il10web I think these are expected. Authentication using pam_unix fails because pam_unix doesn't know this particular users and then pam_sss succeeds. I wonder if the best way to deal with the log messages is just to configure logrotate a bit more aggressively? > > -Original Message- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Friday, September 16, 2016 1:39 PM > To: Larry Rosen <larry.ro...@jdrsolutions.com>; > freeipa-users@redhat.com > Subject: Re: [Freeipa-users] login auth fails then success > > Larry Rosen wrote: > > We have a web app that logs in using a service (automated login > > user, non-expiring, non-failure count) account that leaves these log > > entries all day long. This does not appear to cause any problems, > > it just make my logs grow unnecessarily and creates a lot of "noise" in the > > log. > > > > Any ideas why it initially fails and then works?** > > Logs where? Can we see them? > > rob > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] login auth fails then success
On Fri, Sep 16, 2016 at 06:23:03PM +, Larry Rosen wrote: > Sorry I thought I had pasted these previously: > > What other logs do I need to add (maybe from the IPA server)? > > Client system's /var/log/secure: > > Sep 13 19:12:33 il10-app-xfs udcs: pam_unix(login:auth): authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web > Sep 13 19:12:33 il10-app-xfs udcs: pam_sss(login:auth): authentication > success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web > Sep 13 19:18:11 il10-app-xfs udcs: pam_unix(login:auth): authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web > Sep 13 19:18:11 il10-app-xfs udcs: pam_sss(login:auth): authentication > success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web > Sep 13 19:22:52 il10-app-xfs udcs: pam_unix(login:auth): authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web > Sep 13 19:22:53 il10-app-xfs udcs: pam_sss(login:auth): authentication > success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web > Sep 13 19:23:49 il10-app-xfs udcs: pam_unix(login:auth): authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web > Sep 13 19:23:49 il10-app-xfs udcs: pam_sss(login:auth): authentication > success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web > Sep 13 19:28:24 il10-app-xfs udcs: pam_unix(login:auth): authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web > Sep 13 19:28:24 il10-app-xfs udcs: pam_sss(login:auth): authentication > success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web > Sep 13 19:29:27 il10-app-xfs udcs: pam_unix(login:auth): authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web > Sep 13 19:29:27 il10-app-xfs udcs: pam_sss(login:auth): authentication > success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web I think these are expected. Authentication using pam_unix fails because pam_unix doesn't know this particular users and then pam_sss succeeds. I wonder if the best way to deal with the log messages is just to configure logrotate a bit more aggressively? > > -Original Message- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Friday, September 16, 2016 1:39 PM > To: Larry Rosen <larry.ro...@jdrsolutions.com>; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] login auth fails then success > > Larry Rosen wrote: > > We have a web app that logs in using a service (automated login user, > > non-expiring, non-failure count) account that leaves these log entries > > all day long. This does not appear to cause any problems, it just make > > my logs grow unnecessarily and creates a lot of "noise" in the log. > > > > Any ideas why it initially fails and then works?** > > Logs where? Can we see them? > > rob > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] login auth fails then success
Sorry I thought I had pasted these previously: What other logs do I need to add (maybe from the IPA server)? Client system's /var/log/secure: Sep 13 19:12:33 il10-app-xfs udcs: pam_unix(login:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:12:33 il10-app-xfs udcs: pam_sss(login:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:18:11 il10-app-xfs udcs: pam_unix(login:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:18:11 il10-app-xfs udcs: pam_sss(login:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:22:52 il10-app-xfs udcs: pam_unix(login:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:22:53 il10-app-xfs udcs: pam_sss(login:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:23:49 il10-app-xfs udcs: pam_unix(login:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:23:49 il10-app-xfs udcs: pam_sss(login:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:28:24 il10-app-xfs udcs: pam_unix(login:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:28:24 il10-app-xfs udcs: pam_sss(login:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:29:27 il10-app-xfs udcs: pam_unix(login:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web Sep 13 19:29:27 il10-app-xfs udcs: pam_sss(login:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=il10web -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Friday, September 16, 2016 1:39 PM To: Larry Rosen <larry.ro...@jdrsolutions.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] login auth fails then success Larry Rosen wrote: > We have a web app that logs in using a service (automated login user, > non-expiring, non-failure count) account that leaves these log entries > all day long. This does not appear to cause any problems, it just make > my logs grow unnecessarily and creates a lot of "noise" in the log. > > Any ideas why it initially fails and then works?** Logs where? Can we see them? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] login auth fails then success
Larry Rosen wrote: We have a web app that logs in using a service (automated login user, non-expiring, non-failure count) account that leaves these log entries all day long. This does not appear to cause any problems, it just make my logs grow unnecessarily and creates a lot of noise in the log. Any ideas why it initially fails and then works?** Logs where? Can we see them? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] login auth fails then success
We have a web app that logs in using a service (automated login user, non-expiring, non-failure count) account that leaves these log entries all day long. This does not appear to cause any problems, it just make my logs grow unnecessarily and creates a lot of "noise" in the log. Any ideas why it initially fails and then works? Larry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project