Hi again, 
Sorry for delay ;
I checked domain log - the long version of the log attached.

Here is  the short extract from the log  - with focus on PAM;

I am suspicious , that PAM commands end with "logon_name = not set" whatever 
that means;
As I wrote before, the login session is partially done - homedir is nfs+krb 
share and is mounted
With proper nfsidmapping.
I login with fqn longina@n.c.domain

Best,
Longina

---


(Wed Nov 30 16:25:16 2016) [sssd[be[a.c.domain]]] [ad_gpo_access_check] 
(0x0400): POLICY DECISION:
(Wed Nov 30 16:25:16 2016) [sssd[be[a.c.domain]]] [ad_gpo_access_check] 
(0x0400):  access_granted = 1
(Wed Nov 30 16:25:16 2016) [sssd[be[a.c.domain]]] [ad_gpo_access_check] 
(0x0400):   access_denied = 0
(Wed Nov 30 16:25:16 2016) [sssd[be[a.c.domain]]] [ad_gpo_access_done] 
(0x0400): GPO-based access control successful.


.....


(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
command: SSS_PAM_AUTHENTICATE
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
domain: n.c.domain
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
user: longina@n.c.domain
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
service: lightdm
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
tty: :0
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
ruser: 
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
rhost: 
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
authtok type: 1
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
newauthtok type: 0
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
priv: 1
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
cli_pid: 1164
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
logon name: not set
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [krb5_auth_queue_send] 
(0x1000): Wait queue of user [longina@n.c.domain] is empty, running request 
[0x2290660] immediately.
(Wed Nov 30 16:24:56 2016) [sssd[be[a.c.domain]]] [krb5_setup] (0x4000): No 
mapping for: longina@n.c.domain

......
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
command: SSS_PAM_ACCT_MGMT
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
domain: n.c.domain
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
user: longina@n.c.domain
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
service: lightdm
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
tty: :0
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
ruser: 
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
rhost: 
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
authtok type: 0
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
newauthtok type: 0
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
priv: 1
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
cli_pid: 1164
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
logon name: not set
(Wed Nov 30 16:24:57 2016) [sssd[be[a.c.domain]]] [sdap_access_send] (0x0400): 
Performing access check for user [longina@n.c.domain]


......
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
command: SSS_PAM_SETCRED
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
domain: n.c.domain
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
user: longina@n.c.domain
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
service: lightdm
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
tty: :0
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
ruser: 
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
rhost: 
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
authtok type: 0
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
newauthtok type: 0
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
priv: 1
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
cli_pid: 1164
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
logon name: not set
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [be_pam_handler] (0x0100): 
Sending result [0][n.c.domain]
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [sbus_dispatch] (0x4000): 
dbus conn: 0x21d6360
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [sbus_dispatch] (0x4000): 
Dispatching.
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [sbus_message_handler] 
(0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on 
path /org/freedesktop/sssd/dataprovider
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [sbus_get_sender_id_send] 
(0x2000): Not a sysbus message, quit
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [be_req_set_domain] (0x0400): 
Changing request domain from [a.c.domain] to [n.c.domain]
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [be_pam_handler] (0x0100): 
Got request with the following data
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
command: SSS_PAM_OPEN_SESSION
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
domain: n.c.domain
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
user: longina@n.c.domain
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
service: lightdm
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
tty: :0
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
ruser: 
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
rhost: 
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
authtok type: 0
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
newauthtok type: 0
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
priv: 1
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
cli_pid: 1164
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [pam_print_data] (0x0100): 
logon name: not set
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [be_pam_handler] (0x0100): 
Sending result [0][n.c.domain]
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [sbus_dispatch] (0x4000): 
dbus conn: 0x21d6360
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [sbus_dispatch] (0x4000): 
Dispatching.
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [sbus_message_handler] 
(0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on 
path /org/freedesktop/sssd/dataprovider
(Wed Nov 30 16:24:59 2016) [sssd[be[a.c.domain]]] [sbus_get_sender_id_send] 
(0x2000): Not a sysbus message, quit



> -----Oprindelig meddelelse-----
> Fra: Jakub Hrozek [mailto:jhro...@redhat.com]
> Sendt: 17. november 2016 09:25
> Til: sssd-users@lists.fedorahosted.org
> Emne: [SSSD-users] Re: sssd-13.4 can't login
> 
> On Wed, Nov 09, 2016 at 02:45:56PM +0000, Longina Przybyszewska wrote:
> > Hi again,
> > I still hang on that problem.
> > Client and server are configured in AD trust realm environment.
> > Client and server are joind to a.c.domain; User is from n.c.domain.
> >
> > During login sequence  NFS-share (sec=krb5) homedir is mounted with
> right nfsidmapping .
> > User can't login because of access denied to the homedir.
> >
> > If I change mount  parameter to sec=sys, user can  successfully login.
> >
> > Machine's  and user's credentials *are* valid ;
> >
> > ==
> > Ticket cache: FILE:/tmp/krb5cc_332405654_B4r6Sy Default principal:
> > longina@N.C.DOMAIN
> >
> > Valid starting       Expires              Service principal
> > 11/09/2016 15:00:43  11/10/2016 01:00:43
> krbtgt/N.C.DOMAIN@N.C.DOMAIN
> >         renew until 11/10/2016 01:00:43
> > 11/09/2016 15:00:45  11/10/2016 01:00:43  krbtgt/C.SDU.DK@N.C.DOMAIN
> >         renew until 11/10/2016 01:00:43
> > 11/09/2016 15:00:45  11/10/2016 01:00:43  nfs/adm-lptest.a.c.domain@
> >         renew until 11/10/2016 01:00:43
> > 11/09/2016 15:00:45  11/10/2016 01:00:43  nfs/adm-
> lptest.a.c.domain@A.C.DOMAIN
> >         renew until 11/10/2016 01:00:43 == Kerberos sequence for login
> > ends with  (krb5_child.log) :
> >
> > ==[sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match
> > failed: [-1765328243][Can't find client principal longina@N.C.DOMAIN
> > in cache collection]=
> 
> You can ignore this, since you are using the FILE: ccache which is doesn't
> support collections, this error is harmless.
> 
> It looks like the krb5_child itself finished fine, according to:
> > (Wed Nov  9 15:00:44 2016) [[sssd[krb5_child[1563]]]] [k5c_send_data]
> > (0x0200): Received error code 0 (Wed Nov  9 15:00:44 2016)
> > [[sssd[krb5_child[1563]]]] [pack_response_packet] (0x2000): response
> packet size: [142] (Wed Nov  9 15:00:44 2016) [[sssd[krb5_child[1563]]]]
> [k5c_send_data] (0x4000): Response sent.
> > (Wed Nov  9 15:00:44 2016) [[sssd[krb5_child[1563]]]] [main] (0x0400):
> > krb5_child completed successfully
> 
> So I would suggest to look into the domain logs as well. Chances are some
> other part (maybe the access control later?) is failing.
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe
> send an email to sssd-users-le...@lists.fedorahosted.org

Attachment: sssd-sanit-long.log.gz
Description: sssd-sanit-long.log.gz

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to