On Wed, Apr 03, 2013 at 07:51:31AM -0400, Sutton, Harry (GSSE) wrote: > On 04/02/2013 06:04 PM, Jakub Hrozek wrote: > >On Tue, Apr 02, 2013 at 09:39:19PM +0000, Sutton, Harry (GSSE) wrote: > >>Yes, sorry, I should have confirmed that. > >> > >> /Harry > >> > >OK, then what does /var/log/secure have to say? Do you see pam_sss > >contacted at all? If so, is anything interesting in /var/log/sssd/*.log > >? > > > >I use cached authentication all the time here (roaming laptop) w/o any > >problems, so I rather suspect some configuration issue. We just need to > >get to the root of the cause :) > >_______________________________________________ > >sssd-users mailing list > >[email protected] > >https://lists.fedorahosted.org/mailman/listinfo/sssd-users > Thanks for sticking with me on this, Jakub ;-) > > Okay, here are the pertinent lines from /var/log/secure from an > unsuccessful login attempt when the laptop was not connected to the > network: > > Apr 3 07:41:52 tobyws gdm-launch-environment][1322]: > pam_unix(gdm-launch-environment:session): session opened for user gdm by > (uid=0) > Apr 3 07:42:07 tobyws polkitd[968]: Registered Authentication Agent for > unix-session:1 (system bus name :1.60 [gnome-shell --mode=gdm], object path > /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > Apr 3 07:42:36 tobyws gdm-password][1651]: pam_unix(gdm-password:auth): > authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= > user=suttonh > Apr 3 07:42:36 tobyws gdm-password][1651]: pam_sss(gdm-password:auth): > authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= > user=suttonh > Apr 3 07:42:36 tobyws gdm-password][1651]: pam_sss(gdm-password:auth): > received for user suttonh: 9 (Authentication service cannot retrieve > authentication info)
Hm, interesting, I would only expect this message if cache_credentials was set to False Are you sure the user suttonh you are logging in as has logged in before to establish the cached credentials? This is how you can be completely sure: * install the ldb-tools package * run: $ ldbsearch -H /var/lib/sss/db/cache_AMERICAS.CPQCORP.NET.ldb name=suttonh this search should yield the cached entry for the user named suttonh and you should see a cachedPassword attribute that contains the salted password hash If the password hash is there, can you check the debug logs (/var/log/sssd/sssd_AMERICAS.CPQCORP.NET.log) if there is anything of interest? > Apr 3 07:42:36 tobyws gdm-password][1651]: pam_krb5[1651]: authentication > fails for 'suttonh' ([email protected]): Authentication service > cannot retrieve authentication info (Cannot resolve network address for KDC > in requested realm) > > Here's my sssd.conf file: > > [sssd] > services = nss, pam > config_file_version = 2 > domains = AMERICAS.CPQCORP.NET > debug_level = 0x3780 > > [domain/AMERICAS.CPQCORP.NET] > id_provider = ad > fallback_homedir = /home/%u > cache_credentials = true > debug_level = 0x3780 > > [nss] > debug_level = 0x3780 > > [pam] > debug_level = 0x3780 > > I can provide krb5.conf, smb.conf, and any other configuration or > log files you might want to see out of band. > > /Harry > The config file looks good to me. I re-ran a simple offline auth with the ad provider now locally and it worked for me, but maybe you are hitting some weird corner case. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
