Hi Everyone,
i have been able to get sssd to work so i can login with my AD credentials to a workstation and through ssh, however I am running into a problem. Whenever a new user tries to login to a ubuntu workstation for the first time it doesn't allow them. I am guessing the login screen doesn't contact the windows AD to check credentials (so maybe sssd hasn't been started yet). I currently have sssd managing the following services: pam, ssh, autofs, and nss. The workaround that I have found is to ssh to that machine from another machine with the AD credentials that I would like to use, and then when I reset the machine i am able to use those credentials at the login screen. Is there a better way?
Thanks, Thomas
On Wed, Dec 14, 2016 at 08:55:15PM +0000, Thomas Beaudry wrote:
Hi Everyone,
i have been able to get sssd to work so i can login with my AD credentials to a workstation and through ssh, however I am running into a problem. Whenever a new user tries to login to a ubuntu workstation for the first time it doesn't allow them. I am guessing the login screen doesn't contact the windows AD to check credentials (so maybe sssd hasn't been started yet). I currently have sssd managing the following services: pam, ssh, autofs, and nss. The workaround that I have found is to ssh to that machine from another machine with the AD credentials that I would like to use, and then when I reset the machine i am able to use those credentials at the login screen. Is there a better way?
Do I get it correctly that you can't login through a graphical login manager but you can login with the same user with ssh and then you can login with the gui manager as well?
I'm not sure I can answer without seeing some logs but the things I would look for would be: - is pam_sss contacted at all when you log in with the gui login manager? - what kind of error does pam_sss return if you log in with the gui manager? - what is in sssd logs in that case?
Hi,
Sorry i have a hard time explaining exactly what the problem is in technical terms since I'm not sure what they are called.
Essentially, when I power on a machine there is the initial login screen that you are prompted with in ubuntu. If a user has never logged onto a particular machine it doesn't allow them. However, if i have already ssh'd to that machine (via another machine) with the user account, then if i try and do the initial login then it works. Once the user logs in once, i can always login afterwards.
Does that make sense? Thomas
________________________________________ From: Jakub Hrozek jhrozek@redhat.com Sent: Wednesday, December 14, 2016 4:47 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: logging into machine with AD credentials for the first time
On Wed, Dec 14, 2016 at 08:55:15PM +0000, Thomas Beaudry wrote:
Hi Everyone,
i have been able to get sssd to work so i can login with my AD credentials to a workstation and through ssh, however I am running into a problem. Whenever a new user tries to login to a ubuntu workstation for the first time it doesn't allow them. I am guessing the login screen doesn't contact the windows AD to check credentials (so maybe sssd hasn't been started yet). I currently have sssd managing the following services: pam, ssh, autofs, and nss. The workaround that I have found is to ssh to that machine from another machine with the AD credentials that I would like to use, and then when I reset the machine i am able to use those credentials at the login screen. Is there a better way?
Do I get it correctly that you can't login through a graphical login manager but you can login with the same user with ssh and then you can login with the gui manager as well?
I'm not sure I can answer without seeing some logs but the things I would look for would be: - is pam_sss contacted at all when you log in with the gui login manager? - what kind of error does pam_sss return if you log in with the gui manager? - what is in sssd logs in that case? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Thu, Dec 15, 2016 at 04:22:01AM +0000, Thomas Beaudry wrote:
Hi,
Sorry i have a hard time explaining exactly what the problem is in technical terms since I'm not sure what they are called.
Essentially, when I power on a machine there is the initial login screen that you are prompted with in ubuntu. If a user has never logged onto a particular machine it doesn't allow them. However, if i have already ssh'd to that machine (via another machine) with the user account, then if i try and do the initial login then it works. Once the user logs in once, i can always login afterwards.
Does that make sense?
Yes, I just have a hard time imagining why this would be the case. The only scenario I can think of is that the Ubuntu login manager's PAM stack is not configured to create the home directory on that machine with pam_mkhomedir or similar while ssh's PAM stack is, the ssh login creates the homedir and then you can log in via GUI as well.
So I would recommend to look into the system's logs (auth.log in Ubuntu IIRC? Or does Ubuntu have journald already?), or enable debug_level in sssd logs and check if sssd is indeed failing.
Hi Jakub,
Here is a copy of my common-session from my pam.d config file. I have pam_mkhomedir.so in it.
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session optional pam_krb5.so minimum_uid=1000 session optional pam_mkhomedir.so session required pam_unix.so session optional pam_sss.so session optional pam_systemd.so # end of pam-auth-update config
Also, here is an the user login from my auth.log. Yes ubuntu has journald now (I'm just not familiar with how to use it).
Dec 14 15:37:37 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 14 15:37:37 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so Dec 14 15:37:37 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Dec 14 15:37:37 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so Dec 14 15:37:37 perf-imglab08 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "a_fitte" Dec 14 15:37:45 perf-imglab08 lightdm: pam_krb5(lightdm:auth): (user a_fitte) credential verification failed: Server not found in Kerberos database Dec 14 15:37:45 perf-imglab08 lightdm: pam_krb5(lightdm:auth): authentication failure; logname=a_fitte uid=0 euid=0 tty=:0 ruser= rhost= Dec 14 15:37:45 perf-imglab08 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a_fitte Dec 14 15:37:51 perf-imglab08 sssd_be: GSSAPI client step 1 Dec 14 15:37:51 perf-imglab08 sssd_be: GSSAPI client step 1 Dec 14 15:37:51 perf-imglab08 lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a_fitte Dec 14 15:37:51 perf-imglab08 lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm Dec 14 15:37:51 perf-imglab08 systemd-logind[26777]: Removed session c1. Dec 14 15:37:51 perf-imglab08 lightdm: pam_unix(lightdm:session): session opened for user a_fitte by (uid=0) Dec 14 15:37:51 perf-imglab08 systemd-logind[26777]: New session c3 of user a_fitte. Dec 14 15:37:51 perf-imglab08 systemd: pam_unix(systemd-user:session): session opened for user a_fitte by (uid=0) Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so Dec 14 15:37:52 perf-imglab08 lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Dec 14 15:37:52 perf-imglab08 systemd-logind[26777]: New session c5 of user lightdm. Dec 14 15:37:52 perf-imglab08 systemd: pam_unix(systemd-user:session): session opened for user lightdm by (uid=0) Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so Dec 14 15:37:52 perf-imglab08 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "a_fitte"
Thanks for you help! Thomas
________________________________________ From: Jakub Hrozek jhrozek@redhat.com Sent: Thursday, December 15, 2016 3:46 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: logging into machine with AD credentials for the first time
On Thu, Dec 15, 2016 at 04:22:01AM +0000, Thomas Beaudry wrote:
Hi,
Sorry i have a hard time explaining exactly what the problem is in technical terms since I'm not sure what they are called.
Essentially, when I power on a machine there is the initial login screen that you are prompted with in ubuntu. If a user has never logged onto a particular machine it doesn't allow them. However, if i have already ssh'd to that machine (via another machine) with the user account, then if i try and do the initial login then it works. Once the user logs in once, i can always login afterwards.
Does that make sense?
Yes, I just have a hard time imagining why this would be the case. The only scenario I can think of is that the Ubuntu login manager's PAM stack is not configured to create the home directory on that machine with pam_mkhomedir or similar while ssh's PAM stack is, the ssh login creates the homedir and then you can log in via GUI as well.
So I would recommend to look into the system's logs (auth.log in Ubuntu IIRC? Or does Ubuntu have journald already?), or enable debug_level in sssd logs and check if sssd is indeed failing. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Thu, Dec 15, 2016 at 07:29:14PM +0000, Thomas Beaudry wrote:
Hi Jakub,
Here is a copy of my common-session from my pam.d config file. I have pam_mkhomedir.so in it.
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session optional pam_krb5.so minimum_uid=1000 session optional pam_mkhomedir.so session required pam_unix.so session optional pam_sss.so session optional pam_systemd.so # end of pam-auth-update config
Also, here is an the user login from my auth.log. Yes ubuntu has journald now (I'm just not familiar with how to use it).
I think just output of journalctl -r is OK. Or journalctl -u lightdm.service
Dec 14 15:37:37 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 14 15:37:37 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so Dec 14 15:37:37 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Dec 14 15:37:37 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so
Here it looks like your PAM stack references pam_kwallet which is not installed, but that's not fatal.
Dec 14 15:37:37 perf-imglab08 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "a_fitte" Dec 14 15:37:45 perf-imglab08 lightdm: pam_krb5(lightdm:auth): (user a_fitte) credential verification failed: Server not found in Kerberos database Dec 14 15:37:45 perf-imglab08 lightdm: pam_krb5(lightdm:auth): authentication failure; logname=a_fitte uid=0 euid=0 tty=:0 ruser= rhost= Dec 14 15:37:45 perf-imglab08 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a_fitte
I wonder why is pam_krb5 and pam_sss used together?
Dec 14 15:37:51 perf-imglab08 sssd_be: GSSAPI client step 1 Dec 14 15:37:51 perf-imglab08 sssd_be: GSSAPI client step 1 Dec 14 15:37:51 perf-imglab08 lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a_fitte
OK, sssd authenicated you.
Dec 14 15:37:51 perf-imglab08 lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm Dec 14 15:37:51 perf-imglab08 systemd-logind[26777]: Removed session c1. Dec 14 15:37:51 perf-imglab08 lightdm: pam_unix(lightdm:session): session opened for user a_fitte by (uid=0) Dec 14 15:37:51 perf-imglab08 systemd-logind[26777]: New session c3 of user a_fitte. Dec 14 15:37:51 perf-imglab08 systemd: pam_unix(systemd-user:session): session opened for user a_fitte by (uid=0) Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so Dec 14 15:37:52 perf-imglab08 lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Dec 14 15:37:52 perf-imglab08 systemd-logind[26777]: New session c5 of user lightdm. Dec 14 15:37:52 perf-imglab08 systemd: pam_unix(systemd-user:session): session opened for user lightdm by (uid=0) Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so Dec 14 15:37:52 perf-imglab08 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "a_fitte"
Here is the issue, pam_succeed_if kicks you out. Looks like the user who tried to log in is not a member of "nopasswdlogin"..
Hi Jakub,
But none of my users is a group of nopasswdlogin
Thanks, Thomas
_________________ _______________________ From: Jakub Hrozek jhrozek@redhat.com Sent: Friday, December 16, 2016 3:52 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: logging into machine with AD credentials for the first time
On Thu, Dec 15, 2016 at 07:29:14PM +0000, Thomas Beaudry wrote:
Hi Jakub,
Here is a copy of my common-session from my pam.d config file. I have pam_mkhomedir.so in it.
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session optional pam_krb5.so minimum_uid=1000 session optional pam_mkhomedir.so session required pam_unix.so session optional pam_sss.so session optional pam_systemd.so # end of pam-auth-update config
Also, here is an the user login from my auth.log. Yes ubuntu has journald now (I'm just not familiar with how to use it).
I think just output of journalctl -r is OK. Or journalctl -u lightdm.service
Dec 14 15:37:37 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 14 15:37:37 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so Dec 14 15:37:37 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Dec 14 15:37:37 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so
Here it looks like your PAM stack references pam_kwallet which is not installed, but that's not fatal.
Dec 14 15:37:37 perf-imglab08 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "a_fitte" Dec 14 15:37:45 perf-imglab08 lightdm: pam_krb5(lightdm:auth): (user a_fitte) credential verification failed: Server not found in Kerberos database Dec 14 15:37:45 perf-imglab08 lightdm: pam_krb5(lightdm:auth): authentication failure; logname=a_fitte uid=0 euid=0 tty=:0 ruser= rhost= Dec 14 15:37:45 perf-imglab08 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a_fitte
I wonder why is pam_krb5 and pam_sss used together?
Dec 14 15:37:51 perf-imglab08 sssd_be: GSSAPI client step 1 Dec 14 15:37:51 perf-imglab08 sssd_be: GSSAPI client step 1 Dec 14 15:37:51 perf-imglab08 lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a_fitte
OK, sssd authenicated you.
Dec 14 15:37:51 perf-imglab08 lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm Dec 14 15:37:51 perf-imglab08 systemd-logind[26777]: Removed session c1. Dec 14 15:37:51 perf-imglab08 lightdm: pam_unix(lightdm:session): session opened for user a_fitte by (uid=0) Dec 14 15:37:51 perf-imglab08 systemd-logind[26777]: New session c3 of user a_fitte. Dec 14 15:37:51 perf-imglab08 systemd: pam_unix(systemd-user:session): session opened for user a_fitte by (uid=0) Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so Dec 14 15:37:52 perf-imglab08 lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Dec 14 15:37:52 perf-imglab08 systemd-logind[26777]: New session c5 of user lightdm. Dec 14 15:37:52 perf-imglab08 systemd: pam_unix(systemd-user:session): session opened for user lightdm by (uid=0) Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet.so Dec 14 15:37:52 perf-imglab08 lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Dec 14 15:37:52 perf-imglab08 lightdm: PAM adding faulty module: pam_kwallet5.so Dec 14 15:37:52 perf-imglab08 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "a_fitte"
Here is the issue, pam_succeed_if kicks you out. Looks like the user who tried to log in is not a member of "nopasswdlogin".. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Hi,
I just used the default pam stack that came with a fresh install and added the lines needed to get sssd to work (since i am really not familar with the inner working of pam). I don't see anything in my pam stack that is # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session optional pam_krb5.so minimum_uid=1000 session optional pam_mkhomedir.so session required pam_unix.so session optional pam_sss.so session optional pam_systemd.so
________________________________________ From: Jakub Hrozek jhrozek@redhat.com Sent: Friday, December 16, 2016 12:12 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: logging into machine with AD credentials for the first time
On Fri, Dec 16, 2016 at 04:18:04PM +0000, Thomas Beaudry wrote:
Hi Jakub,
But none of my users is a group of nopasswdlogin
Then why is there pam_succeed_if set up this way in the pam stack? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Hi Jakub,
I'm starting to think it has more to do with the directory creation and not the group. Before a user logins for the first time, I create a NFS folder for them to use (since user directories are on a NAS). Maybe i need to include an .Xauthority file in it, or something of that nature? Anyways it's just a thought.
Thomas ________________________________________ From: Thomas Beaudry thomas.beaudry@concordia.ca Sent: Friday, December 16, 2016 12:19 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Re: logging into machine with AD credentials for the first time
Hi,
I just used the default pam stack that came with a fresh install and added the lines needed to get sssd to work (since i am really not familar with the inner working of pam). I don't see anything in my pam stack that is # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session optional pam_krb5.so minimum_uid=1000 session optional pam_mkhomedir.so session required pam_unix.so session optional pam_sss.so session optional pam_systemd.so
________________________________________ From: Jakub Hrozek jhrozek@redhat.com Sent: Friday, December 16, 2016 12:12 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: logging into machine with AD credentials for the first time
On Fri, Dec 16, 2016 at 04:18:04PM +0000, Thomas Beaudry wrote:
Hi Jakub,
But none of my users is a group of nopasswdlogin
Then why is there pam_succeed_if set up this way in the pam stack? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Thomas Beaudry