Hi Jakub, Here is a copy of my common-session from my pam.d config file. I have pam_mkhomedir.so in it.
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session optional pam_krb5.so minimum_uid=1000 session optional pam_mkhomedir.so session required pam_unix.so session optional pam_sss.so session optional pam_systemd.so # end of pam-auth-update config Also, here is an the user login from my auth.log. Yes ubuntu has journald now (I'm just not familiar with how to use it). Dec 14 15:37:37 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 14 15:37:37 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so Dec 14 15:37:37 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Dec 14 15:37:37 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so Dec 14 15:37:37 perf-imglab08 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "a_fitte" Dec 14 15:37:45 perf-imglab08 lightdm: pam_krb5(lightdm:auth): (user a_fitte) credential verification failed: Server not found in Kerberos database Dec 14 15:37:45 perf-imglab08 lightdm: pam_krb5(lightdm:auth): authentication failure; logname=a_fitte uid=0 euid=0 tty=:0 ruser= rhost= Dec 14 15:37:45 perf-imglab08 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a_fitte Dec 14 15:37:51 perf-imglab08 sssd_be: GSSAPI client step 1 Dec 14 15:37:51 perf-imglab08 sssd_be: GSSAPI client step 1 Dec 14 15:37:51 perf-imglab08 lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a_fitte Dec 14 15:37:51 perf-imglab08 lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm Dec 14 15:37:51 perf-imglab08 systemd-logind[26777]: Removed session c1. Dec 14 15:37:51 perf-imglab08 lightdm: pam_unix(lightdm:session): session opened for user a_fitte by (uid=0) Dec 14 15:37:51 perf-imglab08 systemd-logind[26777]: New session c3 of user a_fitte. Dec 14 15:37:51 perf-imglab08 systemd: pam_unix(systemd-user:session): session opened for user a_fitte by (uid=0) Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so Dec 14 15:37:52 perf-imglab08 lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Dec 14 15:37:52 perf-imglab08 systemd-logind[26777]: New session c5 of user lightdm. Dec 14 15:37:52 perf-imglab08 systemd: pam_unix(systemd-user:session): session opened for user lightdm by (uid=0) Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so Dec 14 15:37:52 perf-imglab08 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "a_fitte" Thanks for you help! Thomas ________________________________________ From: Jakub Hrozek <[email protected]> Sent: Thursday, December 15, 2016 3:46 AM To: [email protected] Subject: [SSSD-users] Re: logging into machine with AD credentials for the first time On Thu, Dec 15, 2016 at 04:22:01AM +0000, Thomas Beaudry wrote: > Hi, > > Sorry i have a hard time explaining exactly what the problem is in technical > terms since I'm not sure what they are called. > > Essentially, when I power on a machine there is the initial login screen that > you are prompted with in ubuntu. If a user has never logged onto a > particular machine it doesn't allow them. However, if i have already ssh'd > to that machine (via another machine) with the user account, then if i try > and do the initial login then it works. Once the user logs in once, i can > always login afterwards. > > Does that make sense? Yes, I just have a hard time imagining why this would be the case. The only scenario I can think of is that the Ubuntu login manager's PAM stack is not configured to create the home directory on that machine with pam_mkhomedir or similar while ssh's PAM stack is, the ssh login creates the homedir and then you can log in via GUI as well. So I would recommend to look into the system's logs (auth.log in Ubuntu IIRC? Or does Ubuntu have journald already?), or enable debug_level in sssd logs and check if sssd is indeed failing. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
