On Fri, Aug 18, 2017 at 5:03 PM, Lukas Slebodnik <[email protected]> wrote:
> On (18/08/17 15:37), Louis Garcia wrote: > >On Fri, Aug 18, 2017 at 12:54 PM, Louis Garcia <[email protected]> > wrote: > > > >> On Fri, Aug 18, 2017 at 12:24 PM, Louis Garcia <[email protected]> > >> wrote: > >> > >>> On Fri, Aug 18, 2017 at 11:58 AM, Louis Garcia <[email protected]> > >>> wrote: > >>> > >>>> On Fri, Aug 18, 2017 at 4:08 AM, Jakub Hrozek <[email protected]> > >>>> wrote: > >>>> > >>>>> On Fri, Aug 18, 2017 at 08:42:34AM +0200, Lukas Slebodnik wrote: > >>>>> > On (17/08/17 12:38), Louis Garcia wrote: > >>>>> > >Sorry to mail you directly but I think the sssd user mailing list > is > >>>>> not > >>>>> > >accepting my emails. I replied twice to this thread yesterday and > >>>>> both > >>>>> > >bounced. > >>>>> > > > >>>>> > > >>>>> > >>>>> > I have no idea why you have problems to send a mails there. > >>>>> > >>>>> Sorry, this is partially my fault. I should be watching the > moderation > >>>>> queue, but lately we've been getting so much spam (sometimes one spam > >>>>> attempt per hour) that I overlooked your e-mail. > >>>>> > >>>>> You can subscribe to the list and then your messages will go right to > >>>>> the list w/o the moderation queue! > >>>>> > >>>> > >>>> [email protected] > >>>> Aug 15 (3 days ago) > >>>> > >>>> > >>>> to me > >>>> Welcome to the "sssd-users" mailing list! > >>>> > >>> > >>> I subscribed here: https://lists.fedorahosted.org > >>> /admin/lists/sssd-users.lists.fedorahosted.org/ and I receive all > emails > >>> from the list but I don't have a user account. > >>> How do I properly subscribe? > >>> > >>> > >> I test by login out of gnome and login back in. After I open a terminal > >> and run klist > >> > >> klist: Credentials cache keyring 'persistent:1000:1000' not found > >> > >> Then I need to kinit and if I klist again > >> > >> Ticket cache: KEYRING:persistent:1000:1000 > >> Default principal: [email protected] > >> > >> Valid starting Expires Service principal > >> 08/18/2017 12:33:50 08/19/2017 12:33:33 krbtgt/MONTCLAIRE.LOCAL@ > >> MONTCLAIRE.LOCAL > >> > >> > >> after that I can ssh and mount nfs4 krb5p. I want to receive my ticket > >> when I login. > >> > >> I am not sure how to search journald. I used 'journalctl -u pam' with no > >> effect > >> > IMHO the simplest would be following command. > journalctl --since=-30min | grep pam_ > > > >> #cat /etc/pam.d/system-auth > >> #%PAM-1.0 > >> # This file is auto-generated. > >> # User changes will be destroyed the next time authconfig is run. > >> auth required pam_env.so > >> auth required pam_faildelay.so delay=2000000 > >> auth sufficient pam_fprintd.so > >> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid > >= > >> 1000 quiet > >> auth [default=1 ignore=ignore success=ok] pam_localuser.so > >> auth sufficient pam_unix.so nullok try_first_pass > >> auth requisite pam_succeed_if.so uid >= 1000 quiet_success > >> auth sufficient pam_sss.so forward_pass > >> auth required pam_deny.so > >> > >> account required pam_unix.so > >> account sufficient pam_localuser.so > >> account sufficient pam_succeed_if.so uid < 1000 quiet > >> account [default=bad success=ok user_unknown=ignore] pam_sss.so > >> account required pam_permit.so > >> > >> password requisite pam_pwquality.so try_first_pass > local_users_only > >> retry=3 authtok_type= > >> password sufficient pam_unix.so sha512 shadow nullok > try_first_pass > >> use_authtok > >> password sufficient pam_sss.so use_authtok > >> password required pam_deny.so > >> > >> session optional pam_keyinit.so revoke > >> session required pam_limits.so > >> -session optional pam_systemd.so > >> session [success=1 default=ignore] pam_succeed_if.so service in > crond > >> quiet use_uid > >> session required pam_unix.so > >> session optional pam_sss.so > >> > >> # cat /etc/pam.d/password-auth > >> #%PAM-1.0 > >> # This file is auto-generated. > >> # User changes will be destroyed the next time authconfig is run. > >> auth required pam_env.so > >> auth required pam_faildelay.so delay=2000000 > >> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid > >= > >> 1000 quiet > >> auth [default=1 ignore=ignore success=ok] pam_localuser.so > >> auth sufficient pam_unix.so nullok try_first_pass > >> auth requisite pam_succeed_if.so uid >= 1000 quiet_success > >> auth sufficient pam_sss.so forward_pass > >> auth required pam_deny.so > >> > >> account required pam_unix.so > >> account sufficient pam_localuser.so > >> account sufficient pam_succeed_if.so uid < 1000 quiet > >> account [default=bad success=ok user_unknown=ignore] pam_sss.so > >> account required pam_permit.so > >> > >> password requisite pam_pwquality.so try_first_pass > local_users_only > >> retry=3 authtok_type= > >> password sufficient pam_unix.so sha512 shadow nullok > try_first_pass > >> use_authtok > >> password sufficient pam_sss.so use_authtok > >> password required pam_deny.so > >> > >> session optional pam_keyinit.so revoke > >> session required pam_limits.so > >> -session optional pam_systemd.so > >> session [success=1 default=ignore] pam_succeed_if.so service in > crond > >> quiet use_uid > >> session required pam_unix.so > >> session optional pam_sss.so > >> > >> > >do I need to login to gdm with my domain realm? [email protected] > >?? > It should not be related to your issue. But realm is usually uppercase. > > uppercase doesn't work either. > You use id_provider files + auth_provider krb5. > If I remove id_provider files and auth_provider krb5 is not working I will be locked out? If I switch the domains will sssd search krb5 first? [domain/files] auth_provider = krb5 id_provider = files I assume that local user still have a local password. > Is local password(in /etc/shadow) the same as you have for kerberos(passed > to > kinit)? > > I have a local user/passwd that is the same for kerberos, this is how I login now. I believe their is a bug for this. https://bugzilla.redhat.com/show_bug.cgi?id=1429843 If I delete the passwd from the local box my account will not show up in gdm login screen. Yes I have tried this and could not login going through 'not listed?'. I would rather get sssd working before I remove the local account. BTW if you still have local password then you will be able to login > with both passwords. But only logging with krb5 password will obtain > ticket for > you. otherwise pam_unix will be used an not pam_sss. > > If you have root password then you can delete local password with > passwd --delete $local_user. > So you will not use local password by mistake for login. > > LS > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > #journalctl --since=-30min | grep pam_ Aug 18 18:32:34 kitten.montclaire.local gdm-password][5376]: pam_unix(gdm-password:session): session closed for user louisgtwo Aug 18 18:32:34 kitten.montclaire.local audit[5376]: USER_END pid=5376 uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_ keyinit,pam_namespace,pam_keyinit,pam_limits,pam_ systemd,pam_unix,pam_sss,pam_gnome_keyring acct="louisgtwo" exe="/usr/libexec/gdm-session-worker" hostname=kitten.montclaire.local addr=? terminal=/dev/tty2 res=success' Aug 18 18:32:34 kitten.montclaire.local audit[5376]: CRED_DISP pid=5376 uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix,pam_gnome_keyring acct="louisgtwo" exe="/usr/libexec/gdm-session-worker" hostname=kitten.montclaire.local addr=? terminal=/dev/tty2 res=success' Aug 18 18:33:14 kitten.montclaire.local gdm-password][8494]: pam_unix(gdm-password:auth): check pass; user unknown Aug 18 18:33:14 kitten.montclaire.local gdm-password][8494]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= Aug 18 18:33:27 kitten.montclaire.local gdm-password][8501]: pam_unix(gdm-password:auth): check pass; user unknown Aug 18 18:33:27 kitten.montclaire.local gdm-password][8501]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= Aug 18 18:33:39 kitten.montclaire.local audit[8505]: USER_AUTH pid=8505 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_ localuser,pam_unix,pam_gnome_keyring acct="louisgtwo" exe="/usr/libexec/gdm-session-worker" hostname=kitten.montclaire.local addr=? terminal=/dev/tty1 res=success' Aug 18 18:33:39 kitten.montclaire.local audit[8505]: USER_ACCT pid=8505 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="louisgtwo" exe="/usr/libexec/gdm-session-worker" hostname=kitten.montclaire.local addr=? terminal=/dev/tty1 res=success' Aug 18 18:33:39 kitten.montclaire.local audit[8505]: CRED_ACQ pid=8505 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix,pam_gnome_keyring acct="louisgtwo" exe="/usr/libexec/gdm-session-worker" hostname=kitten.montclaire.local addr=? terminal=/dev/tty1 res=success' Aug 18 18:33:39 kitten.montclaire.local audit[8512]: USER_ACCT pid=8512 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="louisgtwo" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Aug 18 18:33:39 kitten.montclaire.local systemd[8512]: pam_unix(systemd-user:session): session opened for user louisgtwo by (uid=0) Aug 18 18:33:39 kitten.montclaire.local audit[8512]: USER_START pid=8512 uid=0 auid=1000 ses=7 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_ keyinit,pam_limits,pam_systemd,pam_unix,pam_sss acct="louisgtwo" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Aug 18 18:33:40 kitten.montclaire.local gdm-password][8505]: pam_unix(gdm-password:session): session opened for user louisgtwo by louisgtwo(uid=0) Aug 18 18:33:40 kitten.montclaire.local audit[8505]: USER_START pid=8505 uid=0 auid=1000 ses=6 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_ keyinit,pam_namespace,pam_keyinit,pam_limits,pam_ systemd,pam_unix,pam_sss,pam_gnome_keyring acct="louisgtwo" exe="/usr/libexec/gdm-session-worker" hostname=kitten.montclaire.local addr=? terminal=/dev/tty2 res=success' Aug 18 18:34:21 kitten.montclaire.local audit[9330]: USER_AUTH pid=9330 uid=1000 auid=1000 ses=7 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="root" exe="/usr/bin/su" hostname=kitten.montclaire.local addr=? terminal=pts/0 res=success' Aug 18 18:34:21 kitten.montclaire.local audit[9330]: USER_ACCT pid=9330 uid=1000 auid=1000 ses=7 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/su" hostname=kitten.montclaire.local addr=? terminal=pts/0 res=success' Aug 18 18:34:21 kitten.montclaire.local audit[9330]: CRED_ACQ pid=9330 uid=1000 auid=1000 ses=7 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/su" hostname=kitten.montclaire.local addr=? terminal=pts/0 res=success' Aug 18 18:34:21 kitten.montclaire.local su[9330]: pam_systemd(su:session): Cannot create session: Already occupied by a session Aug 18 18:34:21 kitten.montclaire.local su[9330]: pam_unix(su:session): session opened for user root by (uid=1000) Aug 18 18:34:21 kitten.montclaire.local audit[9330]: USER_START pid=9330 uid=1000 auid=1000 ses=7 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/su" hostname=kitten.montclaire.local addr=? terminal=pts/0 res=success'
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
