Thanks Sumit
 
Yes, all the ipa-server instances I have setup in the past have been headless, with the home dirs from a file server via NFS.
 
In this case I am aiming for a simple "all-in-one" SSO VM with the ipa-server, client, Desktop, Eclipse, our Application Server and Client all in the same VM...
 
Cheers
 
Chris
 
 
 
----- Original message -----
From: "Sumit Bose" <sbose@redhat.com>
To: "Christopher Lamb" <christopher.lamb@ch.ibm.com>
Cc: freeipa-users@lists.fedorahosted.org, sbose@redhat.com
Subject: [EXTERNAL] Re: [Freeipa-users] Re: Cannot log in to Federoa Desktop GUI with FreeIPA user.
Date: Tue, Aug 10, 2021 1:14 PM
 
Am Tue, Aug 10, 2021 at 10:28:09AM +0000 schrieb Christopher Lamb:
> Hi Sumit
>  
> Thanks, that was it! The freeipa user(s) did not have home directories.
>  
> I have now manually created the directory /home/lamb, changed the ownership to
> lamb with chown, and now I can login with the freeipa-user.
>  
> Did I miss an obvious error message in the logs?

Hi,

the SSSD logs were all fine, I would suggest to check the general system
logs and look for error from gdm or other Gnome components.

Btw, while it might be ok on freeipa servers to create home directories
manually since typically not all users should access the server, on
clients this might be cumbersome. There is the '--mkhomedir' option for
ipa-client-install to tell the system to create the home directories
automatically during the first login.

HTH

bye,
Sumit

>  
> Cheers
>  
>
>     ----- Original message -----
>     From: "Sumit Bose via FreeIPA-users" <freeipa-users@lists.fedorahosted.org>
>     To: freeipa-users@lists.fedorahosted.org
>     Cc: "Sumit Bose" <sbose@redhat.com>
>     Subject: [EXTERNAL] [Freeipa-users] Re: Cannot log in to Federoa Desktop
>     GUI with FreeIPA user.
>     Date: Tue, Aug 10, 2021 12:05 PM
>      
>     Am Tue, Aug 10, 2021 at 08:47:55AM +0000 schrieb Christopher Lamb via
>     FreeIPA-users:
>     > Hi
>     >  
>     > I am attempting to set up a Single Sign On (SSO) development environment
>     in a
>     > Fedora 34 Virtual Machine on my laptop.
>     >  
>     > I have successfully installed and configured freeipa-server, and can
>     create
>     > freeipa users both on the CLI, and via the Web UI. —> OK.
>     >  
>     > I can both “kinit” and “su” to the freeipa users —> OK. This implies that
>     that
>     > the users can be successfully authenticated, password is correct etc.
>     >  
>     > However I cannot log in to the Fedora Desktop (Gnome) of the VM running
>     > freeipa-server with the freeipa users. —> NOT OK.
>     >  
>     > I do get the “last log in" + date message displayed, then it returns to
>     the
>     > login dialog without displaying any error message.
>     >  
>     > The “last log in” message suggests that authentication was successful,
>     but
>     > something after that has a worm in it.
>
>     Hi,
>
>     are you using pam_oddjob_mkhomedir.so or have you checked if there is a
>     home directory for the user?
>
>     HTH
>
>     bye,
>     Sumit
>
>     >  
>     > My setup is:
>     > VM Fedora Linux 34, freeipa-server 4.9.6, sssd 2.5.2
>     > VM Host: macOS Big Sur 11.4 Parallels Desktop Pro Version 16.5.1 (49187)
>     >  
>     >  
>     > I found this issue https://bugzilla.redhat.com/show_bug.cgi?id=1837749 
>       where
>     > the user also cannot login, but for Active Directory users. My users are
>      plain
>     > vanilla freeipa.
>     >  
>     > I have attached an extract from the sssd_acme.org.log at the time of
>     login
>     > attempt (09:40:10) The user is "lamb".
>     >  
>     > Any ideas?
>     >  
>     > Chris
>     >
>     >
>
>
>     > _______________________________________________
>     > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>     > To unsubscribe send an email to
>     freeipa-users-leave@lists.fedorahosted.org
>     > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/ 
>     code-of-conduct/
>     > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines  
>     > List Archives: https://lists.fedorahosted.org/archives/list/ 
>     freeipa-users@lists.fedorahosted.org
>     > Do not reply to spam on the list, report it: https://pagure.io/ 
>     fedora-infrastructure
>     _______________________________________________
>     FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>     To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
>     Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/ 
>     code-of-conduct/
>     List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines  
>     List Archives: https://lists.fedorahosted.org/archives/list/ 
>     freeipa-users@lists.fedorahosted.org
>     Do not reply to spam on the list, report it: https://pagure.io/ 
>     fedora-infrastructure
>
>  
>
>