On (18/08/17 18:58), Louis Garcia wrote: >On Fri, Aug 18, 2017 at 5:03 PM, Lukas Slebodnik <[email protected]> >wrote: > >> On (18/08/17 15:37), Louis Garcia wrote: >> >On Fri, Aug 18, 2017 at 12:54 PM, Louis Garcia <[email protected]> >> wrote: >> > >> >> On Fri, Aug 18, 2017 at 12:24 PM, Louis Garcia <[email protected]> >> >> wrote: >> >> >> >>> On Fri, Aug 18, 2017 at 11:58 AM, Louis Garcia <[email protected]> >> >>> wrote: >> >>> >> >>>> On Fri, Aug 18, 2017 at 4:08 AM, Jakub Hrozek <[email protected]> >> >>>> wrote: >> >>>> >> >>>>> On Fri, Aug 18, 2017 at 08:42:34AM +0200, Lukas Slebodnik wrote: >> >>>>> > On (17/08/17 12:38), Louis Garcia wrote: >> >>>>> > >Sorry to mail you directly but I think the sssd user mailing list >> is >> >>>>> not >> >>>>> > >accepting my emails. I replied twice to this thread yesterday and >> >>>>> both >> >>>>> > >bounced. >> >>>>> > > >> >>>>> > >> >>>>> >> >>>>> > I have no idea why you have problems to send a mails there. >> >>>>> >> >>>>> Sorry, this is partially my fault. I should be watching the >> moderation >> >>>>> queue, but lately we've been getting so much spam (sometimes one spam >> >>>>> attempt per hour) that I overlooked your e-mail. >> >>>>> >> >>>>> You can subscribe to the list and then your messages will go right to >> >>>>> the list w/o the moderation queue! >> >>>>> >> >>>> >> >>>> [email protected] >> >>>> Aug 15 (3 days ago) >> >>>> >> >>>> >> >>>> to me >> >>>> Welcome to the "sssd-users" mailing list! >> >>>> >> >>> >> >>> I subscribed here: https://lists.fedorahosted.org >> >>> /admin/lists/sssd-users.lists.fedorahosted.org/ and I receive all >> emails >> >>> from the list but I don't have a user account. >> >>> How do I properly subscribe? >> >>> >> >>> >> >> I test by login out of gnome and login back in. After I open a terminal >> >> and run klist >> >> >> >> klist: Credentials cache keyring 'persistent:1000:1000' not found >> >> >> >> Then I need to kinit and if I klist again >> >> >> >> Ticket cache: KEYRING:persistent:1000:1000 >> >> Default principal: [email protected] >> >> >> >> Valid starting Expires Service principal >> >> 08/18/2017 12:33:50 08/19/2017 12:33:33 krbtgt/MONTCLAIRE.LOCAL@ >> >> MONTCLAIRE.LOCAL >> >> >> >> >> >> after that I can ssh and mount nfs4 krb5p. I want to receive my ticket >> >> when I login. >> >> >> >> I am not sure how to search journald. I used 'journalctl -u pam' with no >> >> effect >> >> >> IMHO the simplest would be following command. >> journalctl --since=-30min | grep pam_ >> >> >> >> #cat /etc/pam.d/system-auth >> >> #%PAM-1.0 >> >> # This file is auto-generated. >> >> # User changes will be destroyed the next time authconfig is run. >> >> auth required pam_env.so >> >> auth required pam_faildelay.so delay=2000000 >> >> auth sufficient pam_fprintd.so >> >> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >> >= >> >> 1000 quiet >> >> auth [default=1 ignore=ignore success=ok] pam_localuser.so >> >> auth sufficient pam_unix.so nullok try_first_pass >> >> auth requisite pam_succeed_if.so uid >= 1000 quiet_success >> >> auth sufficient pam_sss.so forward_pass >> >> auth required pam_deny.so >> >> >> >> account required pam_unix.so >> >> account sufficient pam_localuser.so >> >> account sufficient pam_succeed_if.so uid < 1000 quiet >> >> account [default=bad success=ok user_unknown=ignore] pam_sss.so >> >> account required pam_permit.so >> >> >> >> password requisite pam_pwquality.so try_first_pass >> local_users_only >> >> retry=3 authtok_type= >> >> password sufficient pam_unix.so sha512 shadow nullok >> try_first_pass >> >> use_authtok >> >> password sufficient pam_sss.so use_authtok >> >> password required pam_deny.so >> >> >> >> session optional pam_keyinit.so revoke >> >> session required pam_limits.so >> >> -session optional pam_systemd.so >> >> session [success=1 default=ignore] pam_succeed_if.so service in >> crond >> >> quiet use_uid >> >> session required pam_unix.so >> >> session optional pam_sss.so >> >> >> >> # cat /etc/pam.d/password-auth >> >> #%PAM-1.0 >> >> # This file is auto-generated. >> >> # User changes will be destroyed the next time authconfig is run. >> >> auth required pam_env.so >> >> auth required pam_faildelay.so delay=2000000 >> >> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >> >= >> >> 1000 quiet >> >> auth [default=1 ignore=ignore success=ok] pam_localuser.so >> >> auth sufficient pam_unix.so nullok try_first_pass >> >> auth requisite pam_succeed_if.so uid >= 1000 quiet_success >> >> auth sufficient pam_sss.so forward_pass >> >> auth required pam_deny.so >> >> >> >> account required pam_unix.so >> >> account sufficient pam_localuser.so >> >> account sufficient pam_succeed_if.so uid < 1000 quiet >> >> account [default=bad success=ok user_unknown=ignore] pam_sss.so >> >> account required pam_permit.so >> >> >> >> password requisite pam_pwquality.so try_first_pass >> local_users_only >> >> retry=3 authtok_type= >> >> password sufficient pam_unix.so sha512 shadow nullok >> try_first_pass >> >> use_authtok >> >> password sufficient pam_sss.so use_authtok >> >> password required pam_deny.so >> >> >> >> session optional pam_keyinit.so revoke >> >> session required pam_limits.so >> >> -session optional pam_systemd.so >> >> session [success=1 default=ignore] pam_succeed_if.so service in >> crond >> >> quiet use_uid >> >> session required pam_unix.so >> >> session optional pam_sss.so >> >> >> >> >> >do I need to login to gdm with my domain realm? [email protected] >> >?? >> It should not be related to your issue. But realm is usually uppercase. >> >> uppercase doesn't work either. > > >> You use id_provider files + auth_provider krb5. >> >If I remove id_provider files and auth_provider krb5 is not working I will >be locked out? >If I switch the domains will sssd search krb5 first? > > [domain/files] > auth_provider = krb5 > id_provider = files > >I assume that local user still have a local password.
Chaging order of lines does not change anything. >> Is local password(in /etc/shadow) the same as you have for kerberos(passed >> to >> kinit)? >> >> I have a local user/passwd that is the same for kerberos, this is how I >login now. I believe their is a bug for this. >https://bugzilla.redhat.com/show_bug.cgi?id=1429843 > That BZ used totally different configuration and I already wrote it in ticket. You cannot hit this bug. >If I delete the passwd from the local box my account will not show up in >gdm login screen. >Yes I have tried this and could not login going through 'not listed?'. I >would rather get sssd working before I remove the local account. > I am not familiar with gdm but I assume you can manually type user there. And if gdb does not remember manually typed user next time then it sounds like a bug in gdm. LS _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
