Re: [Freeipa-users] Some computers cannot get Some users logged in.
On Thu, Jun 05, 2014 at 03:11:00PM -0700, Scott Allen wrote: > Found the problem. The users were added by a custom script that didn't > prompt for passwords. As such, the user's were in IPA and enabled but not > able to login as they never had a initial password set. So on migrated > machines it fell through to winbind and somehow found the old AD server. Great, thank you for the feedback. I would recommend to remove the winbind entries from PAM and NSS configuration after the migration is finished. bye, Sumit > > > On Thu, Jun 5, 2014 at 1:47 PM, Scott Allen > wrote: > > > Hi, > > I didn't migrate the passwords. All users started with a new default on > > IPA. > > The new user foo doesn't exist on the AD system but can login successfully > > using IPA credentials on a migrated system. > > > > > > On Fri, May 30, 2014 at 12:35 AM, Sumit Bose wrote: > > > >> On Thu, May 29, 2014 at 11:20:37AM -0700, Scott Allen wrote: > >> > Hi, > >> > Having a particularly weird problem. We have moved from AD to freeIPA > >> > recently and while there have been some bumps, most of the CentOS 6.2 > >> boxes > >> > make the transition successfully. Some background. > >> > > >> > The Linux boxes were joined to AD on Windows 2008R2 using samba/winbind. > >> > When we moved from AD, boxes were not "removed" from AD, just disabled > >> on > >> > the server side. We scripted the necessary bits since we were moving to > >> a > >> > new subnet as well. The script runs "ipa-client-install -p admin > >> --password > >> > PASSWORD --enable-dns-updates -U" > >> > > >> > The machines were joined successfully to freeIPA and then added to > >> > allow_all_hosts Host Group. > >> > > >> > On a workstation that was migrated, all users can successfully log in. > >> > On a fresh install of CentOS6.2, only myself (admin_user) and a newly > >> > created user (foo) can successfully log in. > >> > > >> > On this fresh install, 'david' is blocked but new user 'foo' is allowed. > >> > > >> > May 29 09:20:29 embassy419 polkitd(authority=local): Registered > >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 > >> > (system bus name :1.26 > >> [/usr/libexec/polkit-gnome-authentication-agent-1], > >> > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale > >> en_US.UTF-8) > >> > May 29 09:20:46 embassy419 pam: gdm-password[2910]: > >> > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 > >> euid=0 > >> > tty=:0 ruser= rhost= user=david > >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > >> > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > >> > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 > >> euid=0 > >> > tty=:0 ruser= rhost= user=david > >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > >> > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting > >> > user credentials) > >> > May 29 10:44:06 embassy419 polkitd(authority=local): Registered > >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > >> > (system bus name :1.88 > >> [/usr/libexec/polkit-gnome-authentication-agent-1], > >> > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale > >> en_US.UTF-8) > >> > May 29 10:44:13 embassy419 pam: gdm-password[3956]: > >> > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 > >> euid=0 > >> > tty=:1 ruser= rhost= user=foo > >> > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > >> > pam_sss(gdm-password:auth): authentication success; logname= uid=0 > >> euid=0 > >> > tty=:1 ruser= rhost= user=foo > >> > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > >> > pam_unix(gdm-password:session): session opened for user foo by (uid=0) > >> > May 29 10:44:15 embassy419 polkitd(authority=local): Unregistered > >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > >> > (system bus name :1.88, object path > >> > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > >> > (disconnected from bus) > >> > > >> > But on this machine that was migrated. > >> > pam: gdm-password[14145]: pam_unix(gdm-password:auth): authentication > >> > failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david > >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > >> > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > >> > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 > >> euid=0 > >> > tty=:1 ruser= rhost= user=david > >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > >> > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting > >> > user credentials) > >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > >> > pam_winbind(gdm-password:auth): getting password (0x0010) > >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > >> > pam_winbind(gdm-password
Re: [Freeipa-users] Some computers cannot get Some users logged in.
Found the problem. The users were added by a custom script that didn't prompt for passwords. As such, the user's were in IPA and enabled but not able to login as they never had a initial password set. So on migrated machines it fell through to winbind and somehow found the old AD server. On Thu, Jun 5, 2014 at 1:47 PM, Scott Allen wrote: > Hi, > I didn't migrate the passwords. All users started with a new default on > IPA. > The new user foo doesn't exist on the AD system but can login successfully > using IPA credentials on a migrated system. > > > On Fri, May 30, 2014 at 12:35 AM, Sumit Bose wrote: > >> On Thu, May 29, 2014 at 11:20:37AM -0700, Scott Allen wrote: >> > Hi, >> > Having a particularly weird problem. We have moved from AD to freeIPA >> > recently and while there have been some bumps, most of the CentOS 6.2 >> boxes >> > make the transition successfully. Some background. >> > >> > The Linux boxes were joined to AD on Windows 2008R2 using samba/winbind. >> > When we moved from AD, boxes were not "removed" from AD, just disabled >> on >> > the server side. We scripted the necessary bits since we were moving to >> a >> > new subnet as well. The script runs "ipa-client-install -p admin >> --password >> > PASSWORD --enable-dns-updates -U" >> > >> > The machines were joined successfully to freeIPA and then added to >> > allow_all_hosts Host Group. >> > >> > On a workstation that was migrated, all users can successfully log in. >> > On a fresh install of CentOS6.2, only myself (admin_user) and a newly >> > created user (foo) can successfully log in. >> > >> > On this fresh install, 'david' is blocked but new user 'foo' is allowed. >> > >> > May 29 09:20:29 embassy419 polkitd(authority=local): Registered >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 >> > (system bus name :1.26 >> [/usr/libexec/polkit-gnome-authentication-agent-1], >> > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale >> en_US.UTF-8) >> > May 29 09:20:46 embassy419 pam: gdm-password[2910]: >> > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 >> euid=0 >> > tty=:0 ruser= rhost= user=david >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]: >> > pam_sss(gdm-password:auth): system info: [Preauthentication failed] >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]: >> > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 >> euid=0 >> > tty=:0 ruser= rhost= user=david >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]: >> > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting >> > user credentials) >> > May 29 10:44:06 embassy419 polkitd(authority=local): Registered >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 >> > (system bus name :1.88 >> [/usr/libexec/polkit-gnome-authentication-agent-1], >> > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale >> en_US.UTF-8) >> > May 29 10:44:13 embassy419 pam: gdm-password[3956]: >> > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 >> euid=0 >> > tty=:1 ruser= rhost= user=foo >> > May 29 10:44:14 embassy419 pam: gdm-password[3956]: >> > pam_sss(gdm-password:auth): authentication success; logname= uid=0 >> euid=0 >> > tty=:1 ruser= rhost= user=foo >> > May 29 10:44:14 embassy419 pam: gdm-password[3956]: >> > pam_unix(gdm-password:session): session opened for user foo by (uid=0) >> > May 29 10:44:15 embassy419 polkitd(authority=local): Unregistered >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 >> > (system bus name :1.88, object path >> > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) >> > (disconnected from bus) >> > >> > But on this machine that was migrated. >> > pam: gdm-password[14145]: pam_unix(gdm-password:auth): authentication >> > failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: >> > pam_sss(gdm-password:auth): system info: [Preauthentication failed] >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: >> > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 >> euid=0 >> > tty=:1 ruser= rhost= user=david >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: >> > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting >> > user credentials) >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: >> > pam_winbind(gdm-password:auth): getting password (0x0010) >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: >> > pam_winbind(gdm-password:auth): pam_get_item returned a password >> > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: >> > pam_winbind(gdm-password:auth): user 'david' granted access >> > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: >> > pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave >> > WBC_ERR_DOMAIN_NOT_FOUND >> > May 29 10:42:10 Embassy426 pam: gdm-password[14145]: >> > pam_unix(gdm-password:session): sessio
Re: [Freeipa-users] Some computers cannot get Some users logged in.
Hi, I didn't migrate the passwords. All users started with a new default on IPA. The new user foo doesn't exist on the AD system but can login successfully using IPA credentials on a migrated system. On Fri, May 30, 2014 at 12:35 AM, Sumit Bose wrote: > On Thu, May 29, 2014 at 11:20:37AM -0700, Scott Allen wrote: > > Hi, > > Having a particularly weird problem. We have moved from AD to freeIPA > > recently and while there have been some bumps, most of the CentOS 6.2 > boxes > > make the transition successfully. Some background. > > > > The Linux boxes were joined to AD on Windows 2008R2 using samba/winbind. > > When we moved from AD, boxes were not "removed" from AD, just disabled on > > the server side. We scripted the necessary bits since we were moving to a > > new subnet as well. The script runs "ipa-client-install -p admin > --password > > PASSWORD --enable-dns-updates -U" > > > > The machines were joined successfully to freeIPA and then added to > > allow_all_hosts Host Group. > > > > On a workstation that was migrated, all users can successfully log in. > > On a fresh install of CentOS6.2, only myself (admin_user) and a newly > > created user (foo) can successfully log in. > > > > On this fresh install, 'david' is blocked but new user 'foo' is allowed. > > > > May 29 09:20:29 embassy419 polkitd(authority=local): Registered > > Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 > > (system bus name :1.26 > [/usr/libexec/polkit-gnome-authentication-agent-1], > > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale > en_US.UTF-8) > > May 29 09:20:46 embassy419 pam: gdm-password[2910]: > > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 > euid=0 > > tty=:0 ruser= rhost= user=david > > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > > tty=:0 ruser= rhost= user=david > > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting > > user credentials) > > May 29 10:44:06 embassy419 polkitd(authority=local): Registered > > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > > (system bus name :1.88 > [/usr/libexec/polkit-gnome-authentication-agent-1], > > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale > en_US.UTF-8) > > May 29 10:44:13 embassy419 pam: gdm-password[3956]: > > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 > euid=0 > > tty=:1 ruser= rhost= user=foo > > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > > pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 > > tty=:1 ruser= rhost= user=foo > > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > > pam_unix(gdm-password:session): session opened for user foo by (uid=0) > > May 29 10:44:15 embassy419 polkitd(authority=local): Unregistered > > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > > (system bus name :1.88, object path > > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > > (disconnected from bus) > > > > But on this machine that was migrated. > > pam: gdm-password[14145]: pam_unix(gdm-password:auth): authentication > > failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david > > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > > tty=:1 ruser= rhost= user=david > > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting > > user credentials) > > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > > pam_winbind(gdm-password:auth): getting password (0x0010) > > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > > pam_winbind(gdm-password:auth): pam_get_item returned a password > > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: > > pam_winbind(gdm-password:auth): user 'david' granted access > > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: > > pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave > > WBC_ERR_DOMAIN_NOT_FOUND > > May 29 10:42:10 Embassy426 pam: gdm-password[14145]: > > pam_unix(gdm-password:session): session opened for user david by (uid=0) > > As Dmitri already said, on the migrated systems winbind is still used > and doing the authentication which is still talking ot AD. But you can > see the same error from pam_sss 'Preauthentication failed' which > typically is an indication that the password is wrong. > > How did you migrate the passwords from AD to IPA? > > bye, > Sumit > > > May 29 10:42:10 Embassy426 polkitd(authority=local): Unregistered > > Authe
Re: [Freeipa-users] Some computers cannot get Some users logged in.
On Thu, May 29, 2014 at 11:20:37AM -0700, Scott Allen wrote: > Hi, > Having a particularly weird problem. We have moved from AD to freeIPA > recently and while there have been some bumps, most of the CentOS 6.2 boxes > make the transition successfully. Some background. > > The Linux boxes were joined to AD on Windows 2008R2 using samba/winbind. > When we moved from AD, boxes were not "removed" from AD, just disabled on > the server side. We scripted the necessary bits since we were moving to a > new subnet as well. The script runs "ipa-client-install -p admin --password > PASSWORD --enable-dns-updates -U" > > The machines were joined successfully to freeIPA and then added to > allow_all_hosts Host Group. > > On a workstation that was migrated, all users can successfully log in. > On a fresh install of CentOS6.2, only myself (admin_user) and a newly > created user (foo) can successfully log in. > > On this fresh install, 'david' is blocked but new user 'foo' is allowed. > > May 29 09:20:29 embassy419 polkitd(authority=local): Registered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 > (system bus name :1.26 [/usr/libexec/polkit-gnome-authentication-agent-1], > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > May 29 09:20:46 embassy419 pam: gdm-password[2910]: > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > tty=:0 ruser= rhost= user=david > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > tty=:0 ruser= rhost= user=david > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting > user credentials) > May 29 10:44:06 embassy419 polkitd(authority=local): Registered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > (system bus name :1.88 [/usr/libexec/polkit-gnome-authentication-agent-1], > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > May 29 10:44:13 embassy419 pam: gdm-password[3956]: > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > tty=:1 ruser= rhost= user=foo > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 > tty=:1 ruser= rhost= user=foo > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > pam_unix(gdm-password:session): session opened for user foo by (uid=0) > May 29 10:44:15 embassy419 polkitd(authority=local): Unregistered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > (system bus name :1.88, object path > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > (disconnected from bus) > > But on this machine that was migrated. > pam: gdm-password[14145]: pam_unix(gdm-password:auth): authentication > failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > tty=:1 ruser= rhost= user=david > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting > user credentials) > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_winbind(gdm-password:auth): getting password (0x0010) > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_winbind(gdm-password:auth): pam_get_item returned a password > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: > pam_winbind(gdm-password:auth): user 'david' granted access > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: > pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave > WBC_ERR_DOMAIN_NOT_FOUND > May 29 10:42:10 Embassy426 pam: gdm-password[14145]: > pam_unix(gdm-password:session): session opened for user david by (uid=0) As Dmitri already said, on the migrated systems winbind is still used and doing the authentication which is still talking ot AD. But you can see the same error from pam_sss 'Preauthentication failed' which typically is an indication that the password is wrong. How did you migrate the passwords from AD to IPA? bye, Sumit > May 29 10:42:10 Embassy426 polkitd(authority=local): Unregistered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > (system bus name :1.85, object path > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > (disconnected from bus) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Some computers cannot get Some users logged in.
On 05/29/2014 02:20 PM, Scott Allen wrote: Hi, Having a particularly weird problem. We have moved from AD to freeIPA recently and while there have been some bumps, most of the CentOS 6.2 boxes make the transition successfully. Some background. The Linux boxes were joined to AD on Windows 2008R2 using samba/winbind. When we moved from AD, boxes were not "removed" from AD, just disabled on the server side. We scripted the necessary bits since we were moving to a new subnet as well. The script runs "ipa-client-install -p admin --password PASSWORD --enable-dns-updates -U" The machines were joined successfully to freeIPA and then added to allow_all_hosts Host Group. On a workstation that was migrated, all users can successfully log in. On a fresh install of CentOS6.2, only myself (admin_user) and a newly created user (foo) can successfully log in. On this fresh install, 'david' is blocked but new user 'foo' is allowed. May 29 09:20:29 embassy419 polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 (system bus name :1.26 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) May 29 09:20:46 embassy419 pam: gdm-password[2910]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=david May 29 09:20:47 embassy419 pam: gdm-password[2910]: pam_sss(gdm-password:auth): system info: [Preauthentication failed] May 29 09:20:47 embassy419 pam: gdm-password[2910]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=david May 29 09:20:47 embassy419 pam: gdm-password[2910]: pam_sss(gdm-password:auth): received for user david: 17 (Failure setting user credentials) May 29 10:44:06 embassy419 polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 (system bus name :1.88 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) May 29 10:44:13 embassy419 pam: gdm-password[3956]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=foo May 29 10:44:14 embassy419 pam: gdm-password[3956]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=foo May 29 10:44:14 embassy419 pam: gdm-password[3956]: pam_unix(gdm-password:session): session opened for user foo by (uid=0) May 29 10:44:15 embassy419 polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 (system bus name :1.88, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) But on this machine that was migrated. pam: gdm-password[14145]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_sss(gdm-password:auth): system info: [Preauthentication failed] May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_sss(gdm-password:auth): received for user david: 17 (Failure setting user credentials) May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_winbind(gdm-password:auth): getting password (0x0010) May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_winbind(gdm-password:auth): pam_get_item returned a password May 29 10:42:09 Embassy426 pam: gdm-password[14145]: pam_winbind(gdm-password:auth): user 'david' granted access May 29 10:42:09 Embassy426 pam: gdm-password[14145]: pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND May 29 10:42:10 Embassy426 pam: gdm-password[14145]: pam_unix(gdm-password:session): session opened for user david by (uid=0) May 29 10:42:10 Embassy426 polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 (system bus name :1.85, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) May 29 10:42:11 Embassy426 polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session4 (system bus name :1.105 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) May 29 10:42:56 Embassy426 pam: gdm-password[15052]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:3 ruser= rhost= user=foo May 29 10:42:57 Embassy426 pam: gdm-password[15052]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=:3 ruser= rhost= user=foo May 29 10:42:57 Embassy426 pam: gdm-password[15052]: pam_winbind(gdm-password:account
[Freeipa-users] Some computers cannot get Some users logged in.
Hi, Having a particularly weird problem. We have moved from AD to freeIPA recently and while there have been some bumps, most of the CentOS 6.2 boxes make the transition successfully. Some background. The Linux boxes were joined to AD on Windows 2008R2 using samba/winbind. When we moved from AD, boxes were not "removed" from AD, just disabled on the server side. We scripted the necessary bits since we were moving to a new subnet as well. The script runs "ipa-client-install -p admin --password PASSWORD --enable-dns-updates -U" The machines were joined successfully to freeIPA and then added to allow_all_hosts Host Group. On a workstation that was migrated, all users can successfully log in. On a fresh install of CentOS6.2, only myself (admin_user) and a newly created user (foo) can successfully log in. On this fresh install, 'david' is blocked but new user 'foo' is allowed. May 29 09:20:29 embassy419 polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 (system bus name :1.26 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) May 29 09:20:46 embassy419 pam: gdm-password[2910]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=david May 29 09:20:47 embassy419 pam: gdm-password[2910]: pam_sss(gdm-password:auth): system info: [Preauthentication failed] May 29 09:20:47 embassy419 pam: gdm-password[2910]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=david May 29 09:20:47 embassy419 pam: gdm-password[2910]: pam_sss(gdm-password:auth): received for user david: 17 (Failure setting user credentials) May 29 10:44:06 embassy419 polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 (system bus name :1.88 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) May 29 10:44:13 embassy419 pam: gdm-password[3956]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=foo May 29 10:44:14 embassy419 pam: gdm-password[3956]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=foo May 29 10:44:14 embassy419 pam: gdm-password[3956]: pam_unix(gdm-password:session): session opened for user foo by (uid=0) May 29 10:44:15 embassy419 polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 (system bus name :1.88, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) But on this machine that was migrated. pam: gdm-password[14145]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_sss(gdm-password:auth): system info: [Preauthentication failed] May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_sss(gdm-password:auth): received for user david: 17 (Failure setting user credentials) May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_winbind(gdm-password:auth): getting password (0x0010) May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_winbind(gdm-password:auth): pam_get_item returned a password May 29 10:42:09 Embassy426 pam: gdm-password[14145]: pam_winbind(gdm-password:auth): user 'david' granted access May 29 10:42:09 Embassy426 pam: gdm-password[14145]: pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND May 29 10:42:10 Embassy426 pam: gdm-password[14145]: pam_unix(gdm-password:session): session opened for user david by (uid=0) May 29 10:42:10 Embassy426 polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 (system bus name :1.85, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) May 29 10:42:11 Embassy426 polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session4 (system bus name :1.105 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) May 29 10:42:56 Embassy426 pam: gdm-password[15052]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:3 ruser= rhost= user=foo May 29 10:42:57 Embassy426 pam: gdm-password[15052]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=:3 ruser= rhost= user=foo May 29 10:42:57 Embassy426 pam: gdm-password[15052]: pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND May 29 10:42:59 Embassy426 pam: gdm-password[15052