Hi Jakub,

Here is a copy of my common-session from my pam.d config file.  I have  
pam_mkhomedir.so in it.

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session    [default=1]            pam_permit.so
# here's the fallback if no module succeeds
session    requisite            pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session    required            pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional            pam_umask.so
# and here are more per-package modules (the "Additional" block)
session    optional            pam_krb5.so minimum_uid=1000
session      optional      pam_mkhomedir.so
session    required    pam_unix.so 
session    optional            pam_sss.so 
session    optional    pam_systemd.so 
# end of pam-auth-update config


Also, here is an the user login from my auth.log.  Yes ubuntu has journald now 
(I'm just not familiar with how to use it).

Dec 14 15:37:37 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): 
/lib/security/pam_kwallet.so: cannot open shared object file: No such file or 
directory
Dec 14 15:37:37 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so
Dec 14 15:37:37 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): 
/lib/security/pam_kwallet5.so: cannot open shared object file: No such file or 
directory
Dec 14 15:37:37 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so
Dec 14 15:37:37 perf-imglab08 lightdm: pam_succeed_if(lightdm:auth): 
requirement "user ingroup nopasswdlogin" not met by user "a_fitte"
Dec 14 15:37:45 perf-imglab08 lightdm: pam_krb5(lightdm:auth): (user a_fitte) 
credential verification failed: Server not found in Kerberos database
Dec 14 15:37:45 perf-imglab08 lightdm: pam_krb5(lightdm:auth): authentication 
failure; logname=a_fitte uid=0 euid=0 tty=:0 ruser= rhost=
Dec 14 15:37:45 perf-imglab08 lightdm: pam_unix(lightdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=a_fitte
Dec 14 15:37:51 perf-imglab08 sssd_be: GSSAPI client step 1
Dec 14 15:37:51 perf-imglab08 sssd_be: GSSAPI client step 1
Dec 14 15:37:51 perf-imglab08 lightdm: pam_sss(lightdm:auth): authentication 
success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a_fitte
Dec 14 15:37:51 perf-imglab08 lightdm: pam_unix(lightdm-greeter:session): 
session closed for user lightdm
Dec 14 15:37:51 perf-imglab08 systemd-logind[26777]: Removed session c1.
Dec 14 15:37:51 perf-imglab08 lightdm: pam_unix(lightdm:session): session 
opened for user a_fitte by (uid=0)
Dec 14 15:37:51 perf-imglab08 systemd-logind[26777]: New session c3 of user 
a_fitte.
Dec 14 15:37:51 perf-imglab08 systemd: pam_unix(systemd-user:session): session 
opened for user a_fitte by (uid=0)
Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): 
/lib/security/pam_kwallet.so: cannot open shared object file: No such file or 
directory
Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so
Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): 
/lib/security/pam_kwallet5.so: cannot open shared object file: No such file or 
directory
Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so
Dec 14 15:37:52 perf-imglab08 lightdm: pam_unix(lightdm-greeter:session): 
session opened for user lightdm by (uid=0)
Dec 14 15:37:52 perf-imglab08 systemd-logind[26777]: New session c5 of user 
lightdm.
Dec 14 15:37:52 perf-imglab08 systemd: pam_unix(systemd-user:session): session 
opened for user lightdm by (uid=0)
Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): 
/lib/security/pam_kwallet.so: cannot open shared object file: No such file or 
directory
Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so
Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): 
/lib/security/pam_kwallet5.so: cannot open shared object file: No such file or 
directory
Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so
Dec 14 15:37:52 perf-imglab08 lightdm: pam_succeed_if(lightdm:auth): 
requirement "user ingroup nopasswdlogin" not met by user "a_fitte"



Thanks for you help!
Thomas


________________________________________
From: Jakub Hrozek <[email protected]>
Sent: Thursday, December 15, 2016 3:46 AM
To: [email protected]
Subject: [SSSD-users] Re: logging into machine with AD credentials for the 
first time

On Thu, Dec 15, 2016 at 04:22:01AM +0000, Thomas Beaudry wrote:
> Hi,
>
> Sorry i have a hard time explaining exactly what the problem is in technical 
> terms since I'm not sure what they are called.
>
> Essentially, when I power on a machine there is the initial login screen that 
> you are prompted with in ubuntu.  If a user has never logged onto a 
> particular machine it doesn't allow them.   However, if i have already ssh'd 
> to that machine (via another machine) with the user account, then if i try 
> and do the initial login then it works.  Once the user logs in once, i can 
> always login afterwards.
>
> Does that make sense?

Yes, I just have a hard time imagining why this would be the case. The
only scenario I can think of is that the Ubuntu login manager's PAM
stack is not configured to create the home directory on that machine
with pam_mkhomedir or similar while ssh's PAM stack is, the ssh login
creates the homedir and then you can log in via GUI as well.

So I would recommend to look into the system's logs (auth.log in Ubuntu
IIRC? Or does Ubuntu have journald already?), or enable debug_level in sssd
logs and check if sssd is indeed failing.
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to