On (18/08/17 18:58), Louis Garcia wrote:
On Fri, Aug 18, 2017 at 5:03 PM, Lukas Slebodnik
<lslebodn(a)redhat.com>
wrote:
> On (18/08/17 15:37), Louis Garcia wrote:
> >On Fri, Aug 18, 2017 at 12:54 PM, Louis Garcia <louisgtwo(a)gmail.com>
> wrote:
> >
> >> On Fri, Aug 18, 2017 at 12:24 PM, Louis Garcia <louisgtwo(a)gmail.com>
> >> wrote:
> >>
> >>> On Fri, Aug 18, 2017 at 11:58 AM, Louis Garcia
<louisgtwo(a)gmail.com>
> >>> wrote:
> >>>
> >>>> On Fri, Aug 18, 2017 at 4:08 AM, Jakub Hrozek
<jhrozek(a)redhat.com>
> >>>> wrote:
> >>>>
> >>>>> On Fri, Aug 18, 2017 at 08:42:34AM +0200, Lukas Slebodnik
wrote:
> >>>>> > On (17/08/17 12:38), Louis Garcia wrote:
> >>>>> > >Sorry to mail you directly but I think the sssd user
mailing list
> is
> >>>>> not
> >>>>> > >accepting my emails. I replied twice to this thread
yesterday and
> >>>>> both
> >>>>> > >bounced.
> >>>>> > >
> >>>>> >
> >>>>>
> >>>>> > I have no idea why you have problems to send a mails
there.
> >>>>>
> >>>>> Sorry, this is partially my fault. I should be watching the
> moderation
> >>>>> queue, but lately we've been getting so much spam (sometimes
one spam
> >>>>> attempt per hour) that I overlooked your e-mail.
> >>>>>
> >>>>> You can subscribe to the list and then your messages will go
right to
> >>>>> the list w/o the moderation queue!
> >>>>>
> >>>>
> >>>> sssd-users-request(a)lists.fedorahosted.org
> >>>> Aug 15 (3 days ago)
> >>>>
> >>>>
> >>>> to me
> >>>> Welcome to the "sssd-users" mailing list!
> >>>>
> >>>
> >>> I subscribed here:
https://lists.fedorahosted.org
> >>> /admin/lists/sssd-users.lists.fedorahosted.org/ and I receive all
> emails
> >>> from the list but I don't have a user account.
> >>> How do I properly subscribe?
> >>>
> >>>
> >> I test by login out of gnome and login back in. After I open a terminal
> >> and run klist
> >>
> >> klist: Credentials cache keyring 'persistent:1000:1000' not found
> >>
> >> Then I need to kinit and if I klist again
> >>
> >> Ticket cache: KEYRING:persistent:1000:1000
> >> Default principal: louisgtwo(a)MONTCLAIRE.LOCAL
> >>
> >> Valid starting Expires Service principal
> >> 08/18/2017 12:33:50 08/19/2017 12:33:33 krbtgt/MONTCLAIRE.LOCAL@
> >> MONTCLAIRE.LOCAL
> >>
> >>
> >> after that I can ssh and mount nfs4 krb5p. I want to receive my ticket
> >> when I login.
> >>
> >> I am not sure how to search journald. I used 'journalctl -u pam'
with no
> >> effect
> >>
> IMHO the simplest would be following command.
> journalctl --since=-30min | grep pam_
>
>
> >> #cat /etc/pam.d/system-auth
> >> #%PAM-1.0
> >> # This file is auto-generated.
> >> # User changes will be destroyed the next time authconfig is run.
> >> auth required pam_env.so
> >> auth required pam_faildelay.so delay=2000000
> >> auth sufficient pam_fprintd.so
> >> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid
> >=
> >> 1000 quiet
> >> auth [default=1 ignore=ignore success=ok] pam_localuser.so
> >> auth sufficient pam_unix.so nullok try_first_pass
> >> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> >> auth sufficient pam_sss.so forward_pass
> >> auth required pam_deny.so
> >>
> >> account required pam_unix.so
> >> account sufficient pam_localuser.so
> >> account sufficient pam_succeed_if.so uid < 1000 quiet
> >> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> >> account required pam_permit.so
> >>
> >> password requisite pam_pwquality.so try_first_pass
> local_users_only
> >> retry=3 authtok_type=
> >> password sufficient pam_unix.so sha512 shadow nullok
> try_first_pass
> >> use_authtok
> >> password sufficient pam_sss.so use_authtok
> >> password required pam_deny.so
> >>
> >> session optional pam_keyinit.so revoke
> >> session required pam_limits.so
> >> -session optional pam_systemd.so
> >> session [success=1 default=ignore] pam_succeed_if.so service in
> crond
> >> quiet use_uid
> >> session required pam_unix.so
> >> session optional pam_sss.so
> >>
> >> # cat /etc/pam.d/password-auth
> >> #%PAM-1.0
> >> # This file is auto-generated.
> >> # User changes will be destroyed the next time authconfig is run.
> >> auth required pam_env.so
> >> auth required pam_faildelay.so delay=2000000
> >> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid
> >=
> >> 1000 quiet
> >> auth [default=1 ignore=ignore success=ok] pam_localuser.so
> >> auth sufficient pam_unix.so nullok try_first_pass
> >> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> >> auth sufficient pam_sss.so forward_pass
> >> auth required pam_deny.so
> >>
> >> account required pam_unix.so
> >> account sufficient pam_localuser.so
> >> account sufficient pam_succeed_if.so uid < 1000 quiet
> >> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> >> account required pam_permit.so
> >>
> >> password requisite pam_pwquality.so try_first_pass
> local_users_only
> >> retry=3 authtok_type=
> >> password sufficient pam_unix.so sha512 shadow nullok
> try_first_pass
> >> use_authtok
> >> password sufficient pam_sss.so use_authtok
> >> password required pam_deny.so
> >>
> >> session optional pam_keyinit.so revoke
> >> session required pam_limits.so
> >> -session optional pam_systemd.so
> >> session [success=1 default=ignore] pam_succeed_if.so service in
> crond
> >> quiet use_uid
> >> session required pam_unix.so
> >> session optional pam_sss.so
> >>
> >>
> >do I need to login to gdm with my domain realm? louisgtwo(a)montclaire.local
> >??
> It should not be related to your issue. But realm is usually uppercase.
>
> uppercase doesn't work either.
> You use id_provider files + auth_provider krb5.
>
If I remove id_provider files and auth_provider krb5 is not working I will
be locked out?
If I switch the domains will sssd search krb5 first?
[domain/files]
auth_provider = krb5
id_provider = files
I assume that local user still have a local password.
Chaging order of lines does not change anything.
> Is local password(in /etc/shadow) the same as you have for
kerberos(passed
> to
> kinit)?
>
> I have a local user/passwd that is the same for kerberos, this is how I
login now. I believe their is a bug for this.
https://bugzilla.redhat.com/show_bug.cgi?id=1429843
That BZ used totally different configuration and I already wrote it in ticket.
You cannot hit this bug.
If I delete the passwd from the local box my account will not show up
in
gdm login screen.
Yes I have tried this and could not login going through 'not listed?'. I
would rather get sssd working before I remove the local account.
I am not familiar with gdm but I assume you can manually type user there.
And if gdb does not remember manually typed user next time then it sounds
like a bug in gdm.
LS