On Thu, Dec 15, 2016 at 07:29:14PM +0000, Thomas Beaudry wrote: > Hi Jakub, > > Here is a copy of my common-session from my pam.d config file. I have > pam_mkhomedir.so in it. > > # > # /etc/pam.d/common-session - session-related modules common to all services > # > # This file is included from other service-specific PAM config files, > # and should contain a list of modules that define tasks to be performed > # at the start and end of sessions of *any* kind (both interactive and > # non-interactive). > # > # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. > # To take advantage of this, it is recommended that you configure any > # local modules either before or after the default block, and use > # pam-auth-update to manage selection of other modules. See > # pam-auth-update(8) for details. > > # here are the per-package modules (the "Primary" block) > session [default=1] pam_permit.so > # here's the fallback if no module succeeds > session requisite pam_deny.so > # prime the stack with a positive return value if there isn't one already; > # this avoids us returning an error just because nothing sets a success code > # since the modules above will each just jump around > session required pam_permit.so > # The pam_umask module will set the umask according to the system default in > # /etc/login.defs and user settings, solving the problem of different > # umask settings with different shells, display managers, remote sessions etc. > # See "man pam_umask". > session optional pam_umask.so > # and here are more per-package modules (the "Additional" block) > session optional pam_krb5.so minimum_uid=1000 > session optional pam_mkhomedir.so > session required pam_unix.so > session optional pam_sss.so > session optional pam_systemd.so > # end of pam-auth-update config > > > Also, here is an the user login from my auth.log. Yes ubuntu has journald > now (I'm just not familiar with how to use it).
I think just output of journalctl -r is OK. Or journalctl -u lightdm.service > > Dec 14 15:37:37 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): > /lib/security/pam_kwallet.so: cannot open shared object file: No such file or > directory > Dec 14 15:37:37 perf-imglab08 lightdm: PAM adding faulty module: > pam_kwallet.so > Dec 14 15:37:37 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): > /lib/security/pam_kwallet5.so: cannot open shared object file: No such file > or directory > Dec 14 15:37:37 perf-imglab08 lightdm: PAM adding faulty module: > pam_kwallet5.so Here it looks like your PAM stack references pam_kwallet which is not installed, but that's not fatal. > Dec 14 15:37:37 perf-imglab08 lightdm: pam_succeed_if(lightdm:auth): > requirement "user ingroup nopasswdlogin" not met by user "a_fitte" > Dec 14 15:37:45 perf-imglab08 lightdm: pam_krb5(lightdm:auth): (user a_fitte) > credential verification failed: Server not found in Kerberos database > Dec 14 15:37:45 perf-imglab08 lightdm: pam_krb5(lightdm:auth): authentication > failure; logname=a_fitte uid=0 euid=0 tty=:0 ruser= rhost= > Dec 14 15:37:45 perf-imglab08 lightdm: pam_unix(lightdm:auth): authentication > failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a_fitte I wonder why is pam_krb5 and pam_sss used together? > Dec 14 15:37:51 perf-imglab08 sssd_be: GSSAPI client step 1 > Dec 14 15:37:51 perf-imglab08 sssd_be: GSSAPI client step 1 > Dec 14 15:37:51 perf-imglab08 lightdm: pam_sss(lightdm:auth): authentication > success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a_fitte OK, sssd authenicated you. > Dec 14 15:37:51 perf-imglab08 lightdm: pam_unix(lightdm-greeter:session): > session closed for user lightdm > Dec 14 15:37:51 perf-imglab08 systemd-logind[26777]: Removed session c1. > Dec 14 15:37:51 perf-imglab08 lightdm: pam_unix(lightdm:session): session > opened for user a_fitte by (uid=0) > Dec 14 15:37:51 perf-imglab08 systemd-logind[26777]: New session c3 of user > a_fitte. > Dec 14 15:37:51 perf-imglab08 systemd: pam_unix(systemd-user:session): > session opened for user a_fitte by (uid=0) > Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): > /lib/security/pam_kwallet.so: cannot open shared object file: No such file or > directory > Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: > pam_kwallet.so > Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): > /lib/security/pam_kwallet5.so: cannot open shared object file: No such file > or directory > Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: > pam_kwallet5.so > Dec 14 15:37:52 perf-imglab08 lightdm: pam_unix(lightdm-greeter:session): > session opened for user lightdm by (uid=0) > Dec 14 15:37:52 perf-imglab08 systemd-logind[26777]: New session c5 of user > lightdm. > Dec 14 15:37:52 perf-imglab08 systemd: pam_unix(systemd-user:session): > session opened for user lightdm by (uid=0) > Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): > /lib/security/pam_kwallet.so: cannot open shared object file: No such file or > directory > Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: > pam_kwallet.so > Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): > /lib/security/pam_kwallet5.so: cannot open shared object file: No such file > or directory > Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: > pam_kwallet5.so > Dec 14 15:37:52 perf-imglab08 lightdm: pam_succeed_if(lightdm:auth): > requirement "user ingroup nopasswdlogin" not met by user "a_fitte" Here is the issue, pam_succeed_if kicks you out. Looks like the user who tried to log in is not a member of "nopasswdlogin".. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
