On Thu, Dec 15, 2016 at 07:29:14PM +0000, Thomas Beaudry wrote:
> Hi Jakub,
> 
> Here is a copy of my common-session from my pam.d config file.  I have  
> pam_mkhomedir.so in it.
> 
> #
> # /etc/pam.d/common-session - session-related modules common to all services
> #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of modules that define tasks to be performed
> # at the start and end of sessions of *any* kind (both interactive and
> # non-interactive).
> #
> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
> # To take advantage of this, it is recommended that you configure any
> # local modules either before or after the default block, and use
> # pam-auth-update to manage selection of other modules.  See
> # pam-auth-update(8) for details.
> 
> # here are the per-package modules (the "Primary" block)
> session    [default=1]            pam_permit.so
> # here's the fallback if no module succeeds
> session    requisite            pam_deny.so
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a success code
> # since the modules above will each just jump around
> session    required            pam_permit.so
> # The pam_umask module will set the umask according to the system default in
> # /etc/login.defs and user settings, solving the problem of different
> # umask settings with different shells, display managers, remote sessions etc.
> # See "man pam_umask".
> session optional            pam_umask.so
> # and here are more per-package modules (the "Additional" block)
> session    optional            pam_krb5.so minimum_uid=1000
> session      optional      pam_mkhomedir.so
> session    required    pam_unix.so 
> session    optional            pam_sss.so 
> session    optional    pam_systemd.so 
> # end of pam-auth-update config
> 
> 
> Also, here is an the user login from my auth.log.  Yes ubuntu has journald 
> now (I'm just not familiar with how to use it).

I think just output of journalctl -r is OK. Or journalctl -u lightdm.service

> 
> Dec 14 15:37:37 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): 
> /lib/security/pam_kwallet.so: cannot open shared object file: No such file or 
> directory
> Dec 14 15:37:37 perf-imglab08 lightdm: PAM adding faulty module: 
> pam_kwallet.so
> Dec 14 15:37:37 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): 
> /lib/security/pam_kwallet5.so: cannot open shared object file: No such file 
> or directory
> Dec 14 15:37:37 perf-imglab08 lightdm: PAM adding faulty module: 
> pam_kwallet5.so

Here it looks like your PAM stack references pam_kwallet which is not
installed, but that's not fatal.

> Dec 14 15:37:37 perf-imglab08 lightdm: pam_succeed_if(lightdm:auth): 
> requirement "user ingroup nopasswdlogin" not met by user "a_fitte"
> Dec 14 15:37:45 perf-imglab08 lightdm: pam_krb5(lightdm:auth): (user a_fitte) 
> credential verification failed: Server not found in Kerberos database
> Dec 14 15:37:45 perf-imglab08 lightdm: pam_krb5(lightdm:auth): authentication 
> failure; logname=a_fitte uid=0 euid=0 tty=:0 ruser= rhost=
> Dec 14 15:37:45 perf-imglab08 lightdm: pam_unix(lightdm:auth): authentication 
> failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=a_fitte

I wonder why is pam_krb5 and pam_sss used together?

> Dec 14 15:37:51 perf-imglab08 sssd_be: GSSAPI client step 1
> Dec 14 15:37:51 perf-imglab08 sssd_be: GSSAPI client step 1
> Dec 14 15:37:51 perf-imglab08 lightdm: pam_sss(lightdm:auth): authentication 
> success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a_fitte

OK, sssd authenicated you.

> Dec 14 15:37:51 perf-imglab08 lightdm: pam_unix(lightdm-greeter:session): 
> session closed for user lightdm
> Dec 14 15:37:51 perf-imglab08 systemd-logind[26777]: Removed session c1.
> Dec 14 15:37:51 perf-imglab08 lightdm: pam_unix(lightdm:session): session 
> opened for user a_fitte by (uid=0)
> Dec 14 15:37:51 perf-imglab08 systemd-logind[26777]: New session c3 of user 
> a_fitte.
> Dec 14 15:37:51 perf-imglab08 systemd: pam_unix(systemd-user:session): 
> session opened for user a_fitte by (uid=0)
> Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): 
> /lib/security/pam_kwallet.so: cannot open shared object file: No such file or 
> directory
> Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: 
> pam_kwallet.so
> Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): 
> /lib/security/pam_kwallet5.so: cannot open shared object file: No such file 
> or directory
> Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: 
> pam_kwallet5.so
> Dec 14 15:37:52 perf-imglab08 lightdm: pam_unix(lightdm-greeter:session): 
> session opened for user lightdm by (uid=0)
> Dec 14 15:37:52 perf-imglab08 systemd-logind[26777]: New session c5 of user 
> lightdm.
> Dec 14 15:37:52 perf-imglab08 systemd: pam_unix(systemd-user:session): 
> session opened for user lightdm by (uid=0)
> Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): 
> /lib/security/pam_kwallet.so: cannot open shared object file: No such file or 
> directory
> Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: 
> pam_kwallet.so
> Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): 
> /lib/security/pam_kwallet5.so: cannot open shared object file: No such file 
> or directory
> Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: 
> pam_kwallet5.so
> Dec 14 15:37:52 perf-imglab08 lightdm: pam_succeed_if(lightdm:auth): 
> requirement "user ingroup nopasswdlogin" not met by user "a_fitte"

Here is the issue, pam_succeed_if kicks you out. Looks like the user who
tried to log in is not a member of "nopasswdlogin"..
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to