Stephen, I've tried to rearrange the system-auth. However, when offline, I still cannot login with KDE. the system-auth looks like this:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so likeauth nullok account sufficient pam_succeed_if.so uid > 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account sufficient pam_localuser.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid > 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so #account required pam_access.so accessfile=/etc/security/access.netgroup.conf password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so nullok use_authtok md5 shadow password sufficient pam_sss.so use_authtok password required pam_deny.so #session required pam_limits.so session required pam_unix.so session required pam_keyinit.so revoke session optional pam_sss.so cheers, Andy 2011/1/27 Stephen Gallagher <sgall...@redhat.com> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/27/2011 10:06 AM, Andy Kannberg wrote: > > Hi, > > > > I've got the SSSD packages from RHEL 5.6 installed on a RHEL 5.4 system. > > SSSD works fine on the command line and when logging in via KDE. Also > > logging on with cached credentials (when network is off) works like a > > charm, on the command line. > > When I want to login with cached credentials via KDE (network > > disabled.), it goes wrong. KDE throws me a new login prompt, saying I > > used te wrong userid or password. > > > > When I check the /var/log/secure file, I see the following happens: > > > > > > Jan 27 15:59:49 hpdw0001 su: pam_unix(su-l:session): session closed for > > user root > > Jan 27 16:00:01 hpdw0001 crond[21924]: pam_unix(crond:session): session > > opened for user root by (uid=0) > > Jan 27 16:00:01 hpdw0001 crond[21924]: pam_unix(crond:session): session > > closed for user root > > Jan 27 16:00:20 hpdw0001 gdm[3744]: pam_unix(gdm:session): session > > closed for user nxp21358 > > Jan 27 16:00:20 hpdw0001 gdm[3744]: pam_console(gdm:session): getpwnam > > failed for nxp21358 > > Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user > > unknown > > Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication > > failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= > > Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info > > message: Authenticated with cached credentials. > > Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication > > success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358 > > Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error > > retrieving information about user nxp21358 > > Jan 27 16:00:39 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not > > identify user (from getpwnam(nxp21358)) > > Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user > > unknown > > Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication > > failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= > > Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info > > message: Authenticated with cached credentials. > > Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication > > success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358 > > Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error > > retrieving information about user nxp21358 > > Jan 27 16:00:49 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not > > identify user (from getpwnam(nxp21358)) > > Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:auth): check pass; user > > unknown > > Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication > > failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= > > Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_sss(gdm:auth): User info > > message: Authenticated with cached credentials. > > Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication > > success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358 > > Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_succeed_if(gdm:account): error > > retrieving information about user nxp21358 > > Jan 27 16:00:58 hpdw0001 gdm[3744]: pam_unix(gdm:account): could not > > identify user (from getpwnam(nxp21358)) > > Jan 27 16:01:01 hpdw0001 crond[21958]: pam_unix(crond:session): session > > opened for user root by (uid=0) > > Jan 27 16:01:11 hpdw0001 crond[21958]: pam_unix(crond:session): session > > closed for user root > > Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_unix(gdm:auth): authentication > > failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358 > > Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_sss(gdm:auth): authentication > > success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nxp21358 > > Jan 27 16:01:39 hpdw0001 gdm[3744]: pam_unix(gdm:session): session > > opened for user nxp21358 by (uid=0) > > Jan 27 16:01:50 hpdw0001 su: pam_unix(su-l:auth): authentication > > failure; logname=nxp21358 uid=3396 euid=0 tty=pts/8 ruser=nxp21358 > > rhost= user=root > > Jan 27 16:01:56 hpdw0001 su: pam_unix(su-l:session): session opened for > > user root by nxp21358(uid=3396) > > > > I'm not a PAM expert, but what I get from this, is that the pam_succeed > > module triggers a fail because pam_unix cannot find the user. How can I > > solve this ?? > > I think you probably want pam_succeed_if to be above pam_sss in your PAM > stack. Here's what mine looks like: > > > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass type= > password sufficient pam_unix.so sha512 shadow nullok > try_first_pass use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_mkhomedir.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > > > > - -- > Stephen Gallagher > RHCE 804006346421761 > > Delivering value year after year. > Red Hat ranks #1 in value among software vendors. > http://www.redhat.com/promo/vendor/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk1BiwcACgkQeiVVYja6o6NuTwCePD6TfWA0/491XYipAeSR51ak > TVEAn2TBnxXZWXVKEafWAou+KgbR/eZe > =FoQ0 > -----END PGP SIGNATURE----- >
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
