I have figured out that missing homdir is the problem with login ADUser@domain.com from GUI.
Best, Longina
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Longina Przybyszewska Sent: 27. januar 2014 16:55 To: 'End-user discussions about the System Security Services Daemon' Subject: Re: [SSSD-users] sssd-1.11.1 in Saucy - GUI login problem
It seems that issuing command kinit -k COMPUTER$@DOMAIN helped on sssd startup problem.
I am very pleased to notice that I could successfully change passwd online (during ssh session!) which expired for Aduser .
I can login from GUI as localuser 'longina' I can 'su - ADuser' as 'longina' I terminal.
I can not login from GUI as ADuser!!
testuser@a.example.com a\testuser
From auth.log: Jan 27 16:14:48 longina-nb lightdm: pam_unix(lightdm:session): session closed for user longina Jan 27 16:14:49 longina-nb lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Jan 27 16:15:09 longina-nb lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "testuser@a.example.com " Jan 27 16:15:19 longina-nb lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=testuser@a.example.com Jan 27 16:15:20 longina-nb lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=testuser@a.example.com ...... Jan 27 16:15:20 longina-nb lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm Jan 27 16:15:20 longina-nb lightdm: pam_unix(lightdm:session): session opened for user testuser@a.example.com by (uid=0) Jan 27 16:15:20 longina-nb lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Jan 27 16:15:36 longina-nb lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "a\testuser" Jan 27 16:15:46 longina-nb lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a\testuser Jan 27 16:15:46 longina-nb lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a\testuser Jan 27 16:15:47 longina-nb lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm Jan 27 16:15:47 longina-nb lightdm: pam_unix(lightdm:session): session opened for user a\testuser by (uid=0) Jan 27 16:15:47 longina-nb lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Jan 27 16:16:14 longina-nb login[1238]: pam_unix(login:session): session opened for user longina by LOGIN(uid=0) Jan 27 16:16:35 longina-nb su[5160]: pam_unix(su:auth): authentication failure; logname=longina uid=1001 euid=0 tty=/dev/tty1 ruser=longina rhost= user=testuser@a.example.com Jan 27 16:16:35 longina-nb su[5160]: pam_sss(su:auth): authentication success; logname=longina uid=1001 euid=0 tty=/dev/tty1 ruser=longina rhost= user=testuser@a.example.con Jan 27 16:16:35 longina-nb su[5160]: Successful su for testuser@a.example.com by longina Jan 27 16:16:35 longina-nb su[5160]: + /dev/tty1 alongina:testuser@a.example.com Jan 27 16:16:35 longina-nb su[5160]: pam_unix(su:session): session opened for user testuser@a.example.com by longina(uid=1001) Jan 27 16:17:01 longina-nb CRON[5203]: pam_unix(cron:session): session opened for user root by (uid=0) Jan 27 16:17:01 longina-nb CRON[5203]: pam_unix(cron:session): session closed for user root
Sssd_pam.log: l(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [testuser@a.example.com] (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): domain: a.example.com (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): user: testuser (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): service: lightdm (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): tty: :0 (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5363 (Mon Jan 27 16:42:58 2014) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x12211a0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon Jan 27 16:42:58 2014) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x12211a0 (Mon Jan 27 16:42:58 2014) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x1223050 (Mon Jan 27 16:42:58 2014) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][a.example.com] (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_reply] (0x0200): blen: 29 (Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x122d7f0][18] (Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x122d7f0][18] (Mon Jan 27 16:42:58 2014) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Mon Jan 27 16:42:58 2014) [sssd[pam]] [client_destructor] (0x2000): Terminated client [0x122d7f0][18] (Mon Jan 27 16:42:58 2014) [sssd[pam]] [get_client_cred] (0x4000): Client creds: euid[0] egid[0] pid[5616]. (Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x121fa20][18] (Mon Jan 27 16:42:58 2014) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected to privileged pipe! (Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x121fa20][18] (Mon Jan 27 16:42:58 2014) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Jan 27 16:42:58 2014) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. : (Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x121fa20][18] (Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x121fa20][18] (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_cmd_open_session] (0x0100): entering pam_cmd_open_session (Mon Jan 27 16:42:58 2014) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'lightdm' matched without domain, user is lightdm (Mon Jan 27 16:42:58 2014) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): user: lightdm (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): service: lightdm-greeter (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): tty: :0 (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5616 (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [10]. (Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_reply] (0x0200): blen: 8 (Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer e-set for client [0x121fa20][18] (Mon Jan 27 16:42:59 2014) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x1220b60 (Mon Jan 27 16:42:59 2014) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Mon Jan 27 16:42:59 2014) [sssd[pam]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Jan 27 16:43:02 2014) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [testuser] removed from PAM initgroup cache
Best, Longina
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Tue, Jan 28, 2014 at 11:56:01AM +0000, Longina Przybyszewska wrote:
I have figured out that missing homdir is the problem with login ADUser@domain.com from GUI.
Best, Longina
Glad it works now. For future reference, you can use parameters like fallback_homedir or override_homedir to set the home directory to something sensible even if the AD user had no homedir set on the AD side.
I have both options 'fallback_homedir, override_homedir'- but the options don't install missing homedir. I have to add 'pam_mkhomedir.so' reference to pam.d/common-session, for get home directory installed on fly at login, if nonexisting.
I must admit the listing of homdir doesn't look well:
Home directory for user testuser@a.example.com
root@l-nb:/home# ls -l total 8 drwxr-xr-x 16 testuser@a.example.com domain users@a.example.com 4096 Jan 28 13:05 testuser drwxr-xr-x 44 along along 4096 Jan 22 15:55 long
Is it possible to make it look simple? We have unique user names across domains in AD.
Best Longina
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 28. januar 2014 13:39 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd-1.11.1 in Saucy - GUI login problem[splved]
On Tue, Jan 28, 2014 at 11:56:01AM +0000, Longina Przybyszewska wrote:
I have figured out that missing homdir is the problem with login ADUser@domain.com from GUI.
Best, Longina
Glad it works now. For future reference, you can use parameters like fallback_homedir or override_homedir to set the home directory to something sensible even if the AD user had no homedir set on the AD side. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Tue, Jan 28, 2014 at 02:26:06PM +0000, Longina Przybyszewska wrote:
I have both options 'fallback_homedir, override_homedir'- but the options don't install missing homedir. I have to add 'pam_mkhomedir.so' reference to pam.d/common-session, for get home directory installed on fly at login, if nonexisting.
I must admit the listing of homdir doesn't look well:
Home directory for user testuser@a.example.com
root@l-nb:/home# ls -l total 8 drwxr-xr-x 16 testuser@a.example.com domain users@a.example.com 4096 Jan 28 13:05 testuser drwxr-xr-x 44 along along 4096 Jan 22 15:55 long
Is it possible to make it look simple? We have unique user names across domains in AD.
Best Longina
I'm not sure I understood the problem, but did you want to customize the user@domain format or disable it?
Then you should take a look at use_fully_qualified_names and full_name_format options.
sssd-users@lists.fedorahosted.org