On (18/08/17 18:58), Louis Garcia wrote:
On Fri, Aug 18, 2017 at 5:03 PM, Lukas Slebodnik lslebodn@redhat.com wrote:
On (18/08/17 15:37), Louis Garcia wrote:
On Fri, Aug 18, 2017 at 12:54 PM, Louis Garcia louisgtwo@gmail.com
wrote:
On Fri, Aug 18, 2017 at 12:24 PM, Louis Garcia louisgtwo@gmail.com wrote:
On Fri, Aug 18, 2017 at 11:58 AM, Louis Garcia louisgtwo@gmail.com wrote:
On Fri, Aug 18, 2017 at 4:08 AM, Jakub Hrozek jhrozek@redhat.com wrote:
> On Fri, Aug 18, 2017 at 08:42:34AM +0200, Lukas Slebodnik wrote: > > On (17/08/17 12:38), Louis Garcia wrote: > > >Sorry to mail you directly but I think the sssd user mailing list
is
> not > > >accepting my emails. I replied twice to this thread yesterday and > both > > >bounced. > > > > > > > > I have no idea why you have problems to send a mails there. > > Sorry, this is partially my fault. I should be watching the
moderation
> queue, but lately we've been getting so much spam (sometimes one spam > attempt per hour) that I overlooked your e-mail. > > You can subscribe to the list and then your messages will go right to > the list w/o the moderation queue! >
sssd-users-request@lists.fedorahosted.org Aug 15 (3 days ago)
to me Welcome to the "sssd-users" mailing list!
I subscribed here: https://lists.fedorahosted.org /admin/lists/sssd-users.lists.fedorahosted.org/ and I receive all
emails
from the list but I don't have a user account. How do I properly subscribe?
I test by login out of gnome and login back in. After I open a terminal and run klist
klist: Credentials cache keyring 'persistent:1000:1000' not found
Then I need to kinit and if I klist again
Ticket cache: KEYRING:persistent:1000:1000 Default principal: louisgtwo@MONTCLAIRE.LOCAL
Valid starting Expires Service principal 08/18/2017 12:33:50 08/19/2017 12:33:33 krbtgt/MONTCLAIRE.LOCAL@ MONTCLAIRE.LOCAL
after that I can ssh and mount nfs4 krb5p. I want to receive my ticket when I login.
I am not sure how to search journald. I used 'journalctl -u pam' with no effect
IMHO the simplest would be following command. journalctl --since=-30min | grep pam_
#cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth sufficient pam_fprintd.so auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid
=
1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass
local_users_only
retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok
try_first_pass
use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in
crond
quiet use_uid session required pam_unix.so session optional pam_sss.so
# cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid
=
1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass
local_users_only
retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok
try_first_pass
use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in
crond
quiet use_uid session required pam_unix.so session optional pam_sss.so
do I need to login to gdm with my domain realm? louisgtwo@montclaire.local ??
It should not be related to your issue. But realm is usually uppercase.
uppercase doesn't work either.
You use id_provider files + auth_provider krb5.
If I remove id_provider files and auth_provider krb5 is not working I will be locked out? If I switch the domains will sssd search krb5 first?
[domain/files] auth_provider = krb5 id_provider = files
I assume that local user still have a local password.
Chaging order of lines does not change anything.
Is local password(in /etc/shadow) the same as you have for kerberos(passed to kinit)?
I have a local user/passwd that is the same for kerberos, this is how I
login now. I believe their is a bug for this. https://bugzilla.redhat.com/show_bug.cgi?id=1429843
That BZ used totally different configuration and I already wrote it in ticket. You cannot hit this bug.
If I delete the passwd from the local box my account will not show up in gdm login screen. Yes I have tried this and could not login going through 'not listed?'. I would rather get sssd working before I remove the local account.
I am not familiar with gdm but I assume you can manually type user there. And if gdb does not remember manually typed user next time then it sounds like a bug in gdm.
LS