On (18/08/17 15:37), Louis Garcia wrote:
On Fri, Aug 18, 2017 at 12:54 PM, Louis Garcia louisgtwo@gmail.com wrote:
On Fri, Aug 18, 2017 at 12:24 PM, Louis Garcia louisgtwo@gmail.com wrote:
On Fri, Aug 18, 2017 at 11:58 AM, Louis Garcia louisgtwo@gmail.com wrote:
On Fri, Aug 18, 2017 at 4:08 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Fri, Aug 18, 2017 at 08:42:34AM +0200, Lukas Slebodnik wrote:
On (17/08/17 12:38), Louis Garcia wrote: >Sorry to mail you directly but I think the sssd user mailing list is
not
>accepting my emails. I replied twice to this thread yesterday and
both
>bounced. >
I have no idea why you have problems to send a mails there.
Sorry, this is partially my fault. I should be watching the moderation queue, but lately we've been getting so much spam (sometimes one spam attempt per hour) that I overlooked your e-mail.
You can subscribe to the list and then your messages will go right to the list w/o the moderation queue!
sssd-users-request@lists.fedorahosted.org Aug 15 (3 days ago)
to me Welcome to the "sssd-users" mailing list!
I subscribed here: https://lists.fedorahosted.org /admin/lists/sssd-users.lists.fedorahosted.org/ and I receive all emails from the list but I don't have a user account. How do I properly subscribe?
I test by login out of gnome and login back in. After I open a terminal and run klist
klist: Credentials cache keyring 'persistent:1000:1000' not found
Then I need to kinit and if I klist again
Ticket cache: KEYRING:persistent:1000:1000 Default principal: louisgtwo@MONTCLAIRE.LOCAL
Valid starting Expires Service principal 08/18/2017 12:33:50 08/19/2017 12:33:33 krbtgt/MONTCLAIRE.LOCAL@ MONTCLAIRE.LOCAL
after that I can ssh and mount nfs4 krb5p. I want to receive my ticket when I login.
I am not sure how to search journald. I used 'journalctl -u pam' with no effect
IMHO the simplest would be following command. journalctl --since=-30min | grep pam_
#cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth sufficient pam_fprintd.so auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
# cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
do I need to login to gdm with my domain realm? louisgtwo@montclaire.local ??
It should not be related to your issue. But realm is usually uppercase.
You use id_provider files + auth_provider krb5. I assume that local user still have a local password. Is local password(in /etc/shadow) the same as you have for kerberos(passed to kinit)?
BTW if you still have local password then you will be able to login with both passwords. But only logging with krb5 password will obtain ticket for you. otherwise pam_unix will be used an not pam_sss.
If you have root password then you can delete local password with passwd --delete $local_user. So you will not use local password by mistake for login.
LS