On Thu, Dec 15, 2016 at 07:29:14PM +0000, Thomas Beaudry wrote:
Hi Jakub,
Here is a copy of my common-session from my pam.d config file. I have pam_mkhomedir.so in it.
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session optional pam_krb5.so minimum_uid=1000 session optional pam_mkhomedir.so session required pam_unix.so session optional pam_sss.so session optional pam_systemd.so # end of pam-auth-update config
Also, here is an the user login from my auth.log. Yes ubuntu has journald now (I'm just not familiar with how to use it).
I think just output of journalctl -r is OK. Or journalctl -u lightdm.service
Dec 14 15:37:37 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 14 15:37:37 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so Dec 14 15:37:37 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Dec 14 15:37:37 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so
Here it looks like your PAM stack references pam_kwallet which is not installed, but that's not fatal.
Dec 14 15:37:37 perf-imglab08 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "a_fitte" Dec 14 15:37:45 perf-imglab08 lightdm: pam_krb5(lightdm:auth): (user a_fitte) credential verification failed: Server not found in Kerberos database Dec 14 15:37:45 perf-imglab08 lightdm: pam_krb5(lightdm:auth): authentication failure; logname=a_fitte uid=0 euid=0 tty=:0 ruser= rhost= Dec 14 15:37:45 perf-imglab08 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a_fitte
I wonder why is pam_krb5 and pam_sss used together?
Dec 14 15:37:51 perf-imglab08 sssd_be: GSSAPI client step 1 Dec 14 15:37:51 perf-imglab08 sssd_be: GSSAPI client step 1 Dec 14 15:37:51 perf-imglab08 lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a_fitte
OK, sssd authenicated you.
Dec 14 15:37:51 perf-imglab08 lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm Dec 14 15:37:51 perf-imglab08 systemd-logind[26777]: Removed session c1. Dec 14 15:37:51 perf-imglab08 lightdm: pam_unix(lightdm:session): session opened for user a_fitte by (uid=0) Dec 14 15:37:51 perf-imglab08 systemd-logind[26777]: New session c3 of user a_fitte. Dec 14 15:37:51 perf-imglab08 systemd: pam_unix(systemd-user:session): session opened for user a_fitte by (uid=0) Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so Dec 14 15:37:52 perf-imglab08 lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Dec 14 15:37:52 perf-imglab08 systemd-logind[26777]: New session c5 of user lightdm. Dec 14 15:37:52 perf-imglab08 systemd: pam_unix(systemd-user:session): session opened for user lightdm by (uid=0) Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so Dec 14 15:37:52 perf-imglab08 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "a_fitte"
Here is the issue, pam_succeed_if kicks you out. Looks like the user who tried to log in is not a member of "nopasswdlogin"..