The last thought that occurred was to run authconfig --test. Authconfig apparently is the command used by various frontends so I thought output from it could point to the problem
I wish the output would have made more sense to me - it does not quite indicate which files the answers come from.
$ sudo authconfig --test caching is enabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is disabled LDAP+TLS is disabled LDAP server = "ldap://SRV1.people.local" LDAP base DN = "dc=people,dc=local" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "PEOPLE" SMB servers = "SRV1.PEOPLE.LOCAL" SMB security = "ads" SMB realm = "PEOPLE.LOCAL" Winbind template shell = "/bin/false" SMB idmap range = "16777216-33554431" nss_sss is enabled by default nss_wins is disabled nss_mdns4_minimal is disabled DNS preference over NSS or WINS is disabled pam_unix is always enabled shadow passwords are enabled password hashing algorithm is sha512 pam_krb5 is disabled krb5 realm = "" krb5 realm via dns is disabled krb5 kdc = "" krb5 kdc via dns is disabled krb5 admin server = "" pam_ldap is disabled LDAP+TLS is disabled LDAP server = "ldap://SRV1.people.local" LDAP base DN = "dc=people,dc=local" LDAP schema = "rfc2307" pam_pkcs11 is disabled use only smartcard for login is disabled smartcard module = "coolkey" smartcard removal action = "Ignore" pam_fprintd is disabled pam_ecryptfs is disabled pam_winbind is disabled SMB workgroup = "PEOPLE" SMB servers = "SRV1.PEOPLE.LOCAL" SMB security = "ads" SMB realm = "PEOPLE.LOCAL" pam_sss is enabled by default credential caching in SSSD is enabled SSSD use instead of legacy services if possible is enabled IPAv2 is disabled IPAv2 domain was not joined IPAv2 server = "" IPAv2 realm = "" IPAv2 domain = "" pam_pwquality is enabled (try_first_pass retry=3 authtok_type=) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir or pam_oddjob_mkhomedir is enabled () Always authorize local users is enabled () Authenticate system accounts against network services is disabled $
Thanks for looking at this,
Roberts
On 10/26/2013 06:36 AM, Roberts Klotiņš wrote:
The last thought that occurred was to run authconfig --test. Authconfig apparently is the command used by various frontends so I thought output from it could point to the problem
I wish the output would have made more sense to me - it does not quite indicate which files the answers come from.
$ sudo authconfig --test caching is enabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is disabled LDAP+TLS is disabled LDAP server = "ldap://SRV1.people.local" LDAP base DN = "dc=people,dc=local" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "PEOPLE" SMB servers = "SRV1.PEOPLE.LOCAL" SMB security = "ads" SMB realm = "PEOPLE.LOCAL" Winbind template shell = "/bin/false" SMB idmap range = "16777216-33554431" nss_sss is enabled by default nss_wins is disabled nss_mdns4_minimal is disabled DNS preference over NSS or WINS is disabled pam_unix is always enabled shadow passwords are enabled password hashing algorithm is sha512 pam_krb5 is disabled krb5 realm = "" krb5 realm via dns is disabled krb5 kdc = "" krb5 kdc via dns is disabled krb5 admin server = "" pam_ldap is disabled LDAP+TLS is disabled LDAP server = "ldap://SRV1.people.local" LDAP base DN = "dc=people,dc=local" LDAP schema = "rfc2307" pam_pkcs11 is disabled use only smartcard for login is disabled smartcard module = "coolkey" smartcard removal action = "Ignore" pam_fprintd is disabled pam_ecryptfs is disabled pam_winbind is disabled SMB workgroup = "PEOPLE" SMB servers = "SRV1.PEOPLE.LOCAL" SMB security = "ads" SMB realm = "PEOPLE.LOCAL" pam_sss is enabled by default credential caching in SSSD is enabled SSSD use instead of legacy services if possible is enabled IPAv2 is disabled IPAv2 domain was not joined IPAv2 server = "" IPAv2 realm = "" IPAv2 domain = "" pam_pwquality is enabled (try_first_pass retry=3 authtok_type=) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir or pam_oddjob_mkhomedir is enabled () Always authorize local users is enabled () Authenticate system accounts against network services is disabled $
Thanks for looking at this,
Roberts
--
Roberts Klotins
On 25 October 2013 13:00, <sssd-users-request@lists.fedorahosted.org mailto:sssd-users-request@lists.fedorahosted.org> wrote:
Send sssd-users mailing list submissions to sssd-users@lists.fedorahosted.org <mailto:sssd-users@lists.fedorahosted.org> To subscribe or unsubscribe via the World Wide Web, visit https://lists.fedorahosted.org/mailman/listinfo/sssd-users or, via email, send a message with subject or body 'help' to sssd-users-request@lists.fedorahosted.org <mailto:sssd-users-request@lists.fedorahosted.org> You can reach the person managing the list at sssd-users-owner@lists.fedorahosted.org <mailto:sssd-users-owner@lists.fedorahosted.org> When replying, please edit your Subject line so it is more specific than "Re: Contents of sssd-users digest..." Today's Topics: 1. Re: sssd-users Digest, Vol 18, Issue 25 (Jakub Hrozek) 2. sssd - GDM login (Roberts Klotiņš) ---------------------------------------------------------------------- Message: 1 Date: Fri, 25 Oct 2013 10:02:15 +0200 From: Jakub Hrozek <jhrozek@redhat.com <mailto:jhrozek@redhat.com>> To: sssd-users@lists.fedorahosted.org <mailto:sssd-users@lists.fedorahosted.org> Subject: Re: [SSSD-users] sssd-users Digest, Vol 18, Issue 25 Message-ID: <20131025080215.GC7624@hendrix.brq.redhat.com <mailto:20131025080215.GC7624@hendrix.brq.redhat.com>> Content-Type: text/plain; charset=utf-8 On Fri, Oct 25, 2013 at 09:58:48AM +0200, Jakub Hrozek wrote: > On Fri, Oct 25, 2013 at 02:25:04AM +0100, Roberts Klotiņš wrote: > > Hi again, still trying to understand how to make the setup to work. > > > > As the very last thing I thought to check into /etc/sysconfig/authconfig. > > What I found was that usekerberos and useldap were set to no. Maybe they > > (or at least kerberos) need to be set to yes? > > > > Did you have a chance to gather the debug logs I asked about earlier? Ah, sorry, it was stuck in moderation. I let that e-mail through. ------------------------------ Message: 2 Date: Fri, 25 Oct 2013 09:47:27 +0100 From: Roberts Klotiņš <roberts.klotins@gmail.com <mailto:roberts.klotins@gmail.com>> To: sssd-users@lists.fedorahosted.org <mailto:sssd-users@lists.fedorahosted.org> Subject: [SSSD-users] sssd - GDM login Message-ID: <CALr2nHsBoDisjrDoTrMX7uNBJTwrBDvsUAeQQbR=8pFDHxRUrw@mail.gmail.com <mailto:8pFDHxRUrw@mail.gmail.com>> Content-Type: text/plain; charset="utf-8" Hi, I did send them to the list, but at debug level 7 sssd_PEOPLE.log file they were about 15s KB in total and I sent them as an attachment. I was told to await till the post is approved by moderator because size over 40KB. I now put this same file edited for usernames and more descriptive host names on http://pastebin.com/ZRkmMgi6 sssd_PEOPLE.log was 15 KB krb5_child.log was empty - 0 bytes. With thanks, Roberts -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fedorahosted.org/pipermail/sssd-users/attachments/20131025/793bc202/attachment-0001.html> ------------------------------ _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org <mailto:sssd-users@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/sssd-users End of sssd-users Digest, Vol 18, Issue 29 ******************************************
--
Roberts Klotins
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Data comes from nsswitch.conf and pam.conf and specific pam configurations. What is says is that SSSD is configured for authentication and identity lookups but that your SSSD is not configured to use IPA. This is as much as I can see from the output.
sssd-users@lists.fedorahosted.org