11:24 a.m.
On Fri, Aug 18, 2017 at 11:58 AM, Louis Garcia <louisgtwo(a)gmail.com> wrote:
On Fri, Aug 18, 2017 at 4:08 AM, Jakub Hrozek
<jhrozek(a)redhat.com> wrote:
> On Fri, Aug 18, 2017 at 08:42:34AM +0200, Lukas Slebodnik wrote:
> > On (17/08/17 12:38), Louis Garcia wrote:
> > >Sorry to mail you directly but I think the sssd user mailing list is
> not
> > >accepting my emails. I replied twice to this thread yesterday and both
> > >bounced.
> > >
> >
>
> > I have no idea why you have problems to send a mails there.
>
> Sorry, this is partially my fault. I should be watching the moderation
> queue, but lately we've been getting so much spam (sometimes one spam
> attempt per hour) that I overlooked your e-mail.
>
> You can subscribe to the list and then your messages will go right to
> the list w/o the moderation queue!
>
sssd-users-request(a)lists.fedorahosted.org
Aug 15 (3 days ago)
to me
Welcome to the "sssd-users" mailing list!
I subscribed here:
https://lists.fedorahosted.org/admin/lists/sssd-users.lists.fedorahosted....
and I receive all emails from the list but I don't have a user account.
How do I properly subscribe?
11:54 a.m.
New subject: SSSD user mailing list: Unable to login to my kerberos realm
On Fri, Aug 18, 2017 at 12:24 PM, Louis Garcia <louisgtwo(a)gmail.com> wrote:
On Fri, Aug 18, 2017 at 11:58 AM, Louis Garcia
<louisgtwo(a)gmail.com>
wrote:
> On Fri, Aug 18, 2017 at 4:08 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
>
>> On Fri, Aug 18, 2017 at 08:42:34AM +0200, Lukas Slebodnik wrote:
>> > On (17/08/17 12:38), Louis Garcia wrote:
>> > >Sorry to mail you directly but I think the sssd user mailing list is
>> not
>> > >accepting my emails. I replied twice to this thread yesterday and both
>> > >bounced.
>> > >
>> >
>>
>> > I have no idea why you have problems to send a mails there.
>>
>> Sorry, this is partially my fault. I should be watching the moderation
>> queue, but lately we've been getting so much spam (sometimes one spam
>> attempt per hour) that I overlooked your e-mail.
>>
>> You can subscribe to the list and then your messages will go right to
>> the list w/o the moderation queue!
>>
>
> sssd-users-request(a)lists.fedorahosted.org
> Aug 15 (3 days ago)
>
>
> to me
> Welcome to the "sssd-users" mailing list!
>
I subscribed here: https://lists.fedorahosted.org/admin/lists/sssd-users.
lists.fedorahosted.org/ and I receive all emails from the list but I
don't have a user account.
How do I properly subscribe?
I test by login out of gnome and login back in. After I open a terminal and
run klist
klist: Credentials cache keyring 'persistent:1000:1000' not found
Then I need to kinit and if I klist again
Ticket cache: KEYRING:persistent:1000:1000
Default principal: louisgtwo(a)MONTCLAIRE.LOCAL
Valid starting Expires Service principal
08/18/2017 12:33:50 08/19/2017 12:33:33
krbtgt/MONTCLAIRE.LOCAL(a)MONTCLAIRE.LOCAL
after that I can ssh and mount nfs4 krb5p. I want to receive my ticket when
I login.
I am not sure how to search journald. I used 'journalctl -u pam' with no
effect
#cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >=
1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >=
1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
2:37 p.m.
New subject: SSSD user mailing list: Unable to login to my kerberos realm
On Fri, Aug 18, 2017 at 12:54 PM, Louis Garcia <louisgtwo(a)gmail.com> wrote:
On Fri, Aug 18, 2017 at 12:24 PM, Louis Garcia
<louisgtwo(a)gmail.com>
wrote:
> On Fri, Aug 18, 2017 at 11:58 AM, Louis Garcia <louisgtwo(a)gmail.com>
> wrote:
>
>> On Fri, Aug 18, 2017 at 4:08 AM, Jakub Hrozek <jhrozek(a)redhat.com>
>> wrote:
>>
>>> On Fri, Aug 18, 2017 at 08:42:34AM +0200, Lukas Slebodnik wrote:
>>> > On (17/08/17 12:38), Louis Garcia wrote:
>>> > >Sorry to mail you directly but I think the sssd user mailing list
is
>>> not
>>> > >accepting my emails. I replied twice to this thread yesterday and
>>> both
>>> > >bounced.
>>> > >
>>> >
>>>
>>> > I have no idea why you have problems to send a mails there.
>>>
>>> Sorry, this is partially my fault. I should be watching the moderation
>>> queue, but lately we've been getting so much spam (sometimes one spam
>>> attempt per hour) that I overlooked your e-mail.
>>>
>>> You can subscribe to the list and then your messages will go right to
>>> the list w/o the moderation queue!
>>>
>>
>> sssd-users-request(a)lists.fedorahosted.org
>> Aug 15 (3 days ago)
>>
>>
>> to me
>> Welcome to the "sssd-users" mailing list!
>>
>
> I subscribed here: https://lists.fedorahosted.org
> /admin/lists/sssd-users.lists.fedorahosted.org/ and I receive all emails
> from the list but I don't have a user account.
> How do I properly subscribe?
>
>
I test by login out of gnome and login back in. After I open a terminal
and run klist
klist: Credentials cache keyring 'persistent:1000:1000' not found
Then I need to kinit and if I klist again
Ticket cache: KEYRING:persistent:1000:1000
Default principal: louisgtwo(a)MONTCLAIRE.LOCAL
Valid starting Expires Service principal
08/18/2017 12:33:50 08/19/2017 12:33:33 krbtgt/MONTCLAIRE.LOCAL@
MONTCLAIRE.LOCAL
after that I can ssh and mount nfs4 krb5p. I want to receive my ticket
when I login.
I am not sure how to search journald. I used 'journalctl -u pam' with no
effect
#cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >=
1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >=
1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
do I need to login to gdm with my domain realm? louisgtwo(a)montclaire.local
??
4:03 p.m.
New subject: SSSD user mailing list: Unable to login to my kerberos realm
On (18/08/17 15:37), Louis Garcia wrote:
On Fri, Aug 18, 2017 at 12:54 PM, Louis Garcia
<louisgtwo(a)gmail.com> wrote:
> On Fri, Aug 18, 2017 at 12:24 PM, Louis Garcia <louisgtwo(a)gmail.com>
> wrote:
>
>> On Fri, Aug 18, 2017 at 11:58 AM, Louis Garcia <louisgtwo(a)gmail.com>
>> wrote:
>>
>>> On Fri, Aug 18, 2017 at 4:08 AM, Jakub Hrozek <jhrozek(a)redhat.com>
>>> wrote:
>>>
>>>> On Fri, Aug 18, 2017 at 08:42:34AM +0200, Lukas Slebodnik wrote:
>>>> > On (17/08/17 12:38), Louis Garcia wrote:
>>>> > >Sorry to mail you directly but I think the sssd user mailing
list is
>>>> not
>>>> > >accepting my emails. I replied twice to this thread yesterday
and
>>>> both
>>>> > >bounced.
>>>> > >
>>>> >
>>>>
>>>> > I have no idea why you have problems to send a mails there.
>>>>
>>>> Sorry, this is partially my fault. I should be watching the moderation
>>>> queue, but lately we've been getting so much spam (sometimes one
spam
>>>> attempt per hour) that I overlooked your e-mail.
>>>>
>>>> You can subscribe to the list and then your messages will go right to
>>>> the list w/o the moderation queue!
>>>>
>>>
>>> sssd-users-request(a)lists.fedorahosted.org
>>> Aug 15 (3 days ago)
>>>
>>>
>>> to me
>>> Welcome to the "sssd-users" mailing list!
>>>
>>
>> I subscribed here: https://lists.fedorahosted.org
>> /admin/lists/sssd-users.lists.fedorahosted.org/ and I receive all emails
>> from the list but I don't have a user account.
>> How do I properly subscribe?
>>
>>
> I test by login out of gnome and login back in. After I open a terminal
> and run klist
>
> klist: Credentials cache keyring 'persistent:1000:1000' not found
>
> Then I need to kinit and if I klist again
>
> Ticket cache: KEYRING:persistent:1000:1000
> Default principal: louisgtwo(a)MONTCLAIRE.LOCAL
>
> Valid starting Expires Service principal
> 08/18/2017 12:33:50 08/19/2017 12:33:33 krbtgt/MONTCLAIRE.LOCAL@
> MONTCLAIRE.LOCAL
>
>
> after that I can ssh and mount nfs4 krb5p. I want to receive my ticket
> when I login.
>
> I am not sure how to search journald. I used 'journalctl -u pam' with no
> effect
>
IMHO the simplest would be following command.
journalctl --since=-30min | grep pam_
> #cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth required pam_faildelay.so delay=2000000
> auth sufficient pam_fprintd.so
> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >=
> 1000 quiet
> auth [default=1 ignore=ignore success=ok] pam_localuser.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> auth sufficient pam_sss.so forward_pass
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> password requisite pam_pwquality.so try_first_pass local_users_only
> retry=3 authtok_type=
> password sufficient pam_unix.so sha512 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> -session optional pam_systemd.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_sss.so
>
> # cat /etc/pam.d/password-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth required pam_faildelay.so delay=2000000
> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >=
> 1000 quiet
> auth [default=1 ignore=ignore success=ok] pam_localuser.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> auth sufficient pam_sss.so forward_pass
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> password requisite pam_pwquality.so try_first_pass local_users_only
> retry=3 authtok_type=
> password sufficient pam_unix.so sha512 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> -session optional pam_systemd.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_sss.so
>
>
do I need to login to gdm with my domain realm? louisgtwo(a)montclaire.local
??
It should not be related to your issue. But realm is usually uppercase.
You use id_provider files + auth_provider krb5.
I assume that local user still have a local password.
Is local password(in /etc/shadow) the same as you have for kerberos(passed to
kinit)?
BTW if you still have local password then you will be able to login
with both passwords. But only logging with krb5 password will obtain ticket for
you. otherwise pam_unix will be used an not pam_sss.
If you have root password then you can delete local password with
passwd --delete $local_user.
So you will not use local password by mistake for login.
LS
5:58 p.m.
New subject: SSSD user mailing list: Unable to login to my kerberos realm
On Fri, Aug 18, 2017 at 5:03 PM, Lukas Slebodnik <lslebodn(a)redhat.com>
wrote:
On (18/08/17 15:37), Louis Garcia wrote:
>On Fri, Aug 18, 2017 at 12:54 PM, Louis Garcia <louisgtwo(a)gmail.com>
wrote:
>
>> On Fri, Aug 18, 2017 at 12:24 PM, Louis Garcia <louisgtwo(a)gmail.com>
>> wrote:
>>
>>> On Fri, Aug 18, 2017 at 11:58 AM, Louis Garcia <louisgtwo(a)gmail.com>
>>> wrote:
>>>
>>>> On Fri, Aug 18, 2017 at 4:08 AM, Jakub Hrozek
<jhrozek(a)redhat.com>
>>>> wrote:
>>>>
>>>>> On Fri, Aug 18, 2017 at 08:42:34AM +0200, Lukas Slebodnik wrote:
>>>>> > On (17/08/17 12:38), Louis Garcia wrote:
>>>>> > >Sorry to mail you directly but I think the sssd user
mailing list
is
>>>>> not
>>>>> > >accepting my emails. I replied twice to this thread
yesterday and
>>>>> both
>>>>> > >bounced.
>>>>> > >
>>>>> >
>>>>>
>>>>> > I have no idea why you have problems to send a mails there.
>>>>>
>>>>> Sorry, this is partially my fault. I should be watching the
moderation
>>>>> queue, but lately we've been getting so much spam (sometimes one
spam
>>>>> attempt per hour) that I overlooked your e-mail.
>>>>>
>>>>> You can subscribe to the list and then your messages will go right
to
>>>>> the list w/o the moderation queue!
>>>>>
>>>>
>>>> sssd-users-request(a)lists.fedorahosted.org
>>>> Aug 15 (3 days ago)
>>>>
>>>>
>>>> to me
>>>> Welcome to the "sssd-users" mailing list!
>>>>
>>>
>>> I subscribed here: https://lists.fedorahosted.org
>>> /admin/lists/sssd-users.lists.fedorahosted.org/ and I receive all
emails
>>> from the list but I don't have a user account.
>>> How do I properly subscribe?
>>>
>>>
>> I test by login out of gnome and login back in. After I open a terminal
>> and run klist
>>
>> klist: Credentials cache keyring 'persistent:1000:1000' not found
>>
>> Then I need to kinit and if I klist again
>>
>> Ticket cache: KEYRING:persistent:1000:1000
>> Default principal: louisgtwo(a)MONTCLAIRE.LOCAL
>>
>> Valid starting Expires Service principal
>> 08/18/2017 12:33:50 08/19/2017 12:33:33 krbtgt/MONTCLAIRE.LOCAL@
>> MONTCLAIRE.LOCAL
>>
>>
>> after that I can ssh and mount nfs4 krb5p. I want to receive my ticket
>> when I login.
>>
>> I am not sure how to search journald. I used 'journalctl -u pam' with
no
>> effect
>>
IMHO the simplest would be following command.
journalctl --since=-30min | grep pam_
>> #cat /etc/pam.d/system-auth
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required pam_env.so
>> auth required pam_faildelay.so delay=2000000
>> auth sufficient pam_fprintd.so
>> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid
>=
>> 1000 quiet
>> auth [default=1 ignore=ignore success=ok] pam_localuser.so
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
>> auth sufficient pam_sss.so forward_pass
>> auth required pam_deny.so
>>
>> account required pam_unix.so
>> account sufficient pam_localuser.so
>> account sufficient pam_succeed_if.so uid < 1000 quiet
>> account [default=bad success=ok user_unknown=ignore] pam_sss.so
>> account required pam_permit.so
>>
>> password requisite pam_pwquality.so try_first_pass
local_users_only
>> retry=3 authtok_type=
>> password sufficient pam_unix.so sha512 shadow nullok
try_first_pass
>> use_authtok
>> password sufficient pam_sss.so use_authtok
>> password required pam_deny.so
>>
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> -session optional pam_systemd.so
>> session [success=1 default=ignore] pam_succeed_if.so service in
crond
>> quiet use_uid
>> session required pam_unix.so
>> session optional pam_sss.so
>>
>> # cat /etc/pam.d/password-auth
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required pam_env.so
>> auth required pam_faildelay.so delay=2000000
>> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid
>=
>> 1000 quiet
>> auth [default=1 ignore=ignore success=ok] pam_localuser.so
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
>> auth sufficient pam_sss.so forward_pass
>> auth required pam_deny.so
>>
>> account required pam_unix.so
>> account sufficient pam_localuser.so
>> account sufficient pam_succeed_if.so uid < 1000 quiet
>> account [default=bad success=ok user_unknown=ignore] pam_sss.so
>> account required pam_permit.so
>>
>> password requisite pam_pwquality.so try_first_pass
local_users_only
>> retry=3 authtok_type=
>> password sufficient pam_unix.so sha512 shadow nullok
try_first_pass
>> use_authtok
>> password sufficient pam_sss.so use_authtok
>> password required pam_deny.so
>>
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> -session optional pam_systemd.so
>> session [success=1 default=ignore] pam_succeed_if.so service in
crond
>> quiet use_uid
>> session required pam_unix.so
>> session optional pam_sss.so
>>
>>
>do I need to login to gdm with my domain realm? louisgtwo(a)montclaire.local
>??
It should not be related to your issue. But realm is usually uppercase.
uppercase doesn't work either.
You use id_provider files + auth_provider krb5.
If I remove id_provider files and auth_provider krb5 is not working I will
be locked out?
If I switch the domains will sssd search krb5 first?
[domain/files]
auth_provider = krb5
id_provider = files
I assume that local user still have a local password.
Is local password(in /etc/shadow) the same as you have for
kerberos(passed
to
kinit)?
I have a local user/passwd that is the same for kerberos, this is how I
login now.
I believe their is a bug for this.
https://bugzilla.redhat.com/show_bug.cgi?id=1429843
If I delete the passwd from the local box my account will not show up in
gdm login screen.
Yes I have tried this and could not login going through 'not listed?'. I
would rather get sssd working before I remove the local account.
BTW if you still have local password then you will be able to login
with both passwords. But only logging with krb5 password will obtain
ticket for
you. otherwise pam_unix will be used an not pam_sss.
If you have root password then you can delete local password with
passwd --delete $local_user.
So you will not use local password by mistake for login.
LS
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
#journalctl --since=-30min | grep pam_
Aug 18 18:32:34 kitten.montclaire.local gdm-password][5376]:
pam_unix(gdm-password:session): session closed for user louisgtwo
Aug 18 18:32:34 kitten.montclaire.local audit[5376]: USER_END pid=5376
uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_
keyinit,pam_namespace,pam_keyinit,pam_limits,pam_
systemd,pam_unix,pam_sss,pam_gnome_keyring acct="louisgtwo"
exe="/usr/libexec/gdm-session-worker" hostname=kitten.montclaire.local
addr=? terminal=/dev/tty2 res=success'
Aug 18 18:32:34 kitten.montclaire.local audit[5376]: CRED_DISP pid=5376
uid=0 auid=1000 ses=4 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
msg='op=PAM:setcred grantors=pam_localuser,pam_unix,pam_gnome_keyring
acct="louisgtwo" exe="/usr/libexec/gdm-session-worker"
hostname=kitten.montclaire.local addr=? terminal=/dev/tty2 res=success'
Aug 18 18:33:14 kitten.montclaire.local gdm-password][8494]:
pam_unix(gdm-password:auth): check pass; user unknown
Aug 18 18:33:14 kitten.montclaire.local gdm-password][8494]:
pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0
tty=/dev/tty1 ruser= rhost=
Aug 18 18:33:27 kitten.montclaire.local gdm-password][8501]:
pam_unix(gdm-password:auth): check pass; user unknown
Aug 18 18:33:27 kitten.montclaire.local gdm-password][8501]:
pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0
tty=/dev/tty1 ruser= rhost=
Aug 18 18:33:39 kitten.montclaire.local audit[8505]: USER_AUTH pid=8505
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
msg='op=PAM:authentication grantors=pam_succeed_if,pam_
localuser,pam_unix,pam_gnome_keyring acct="louisgtwo"
exe="/usr/libexec/gdm-session-worker" hostname=kitten.montclaire.local
addr=? terminal=/dev/tty1 res=success'
Aug 18 18:33:39 kitten.montclaire.local audit[8505]: USER_ACCT pid=8505
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="louisgtwo"
exe="/usr/libexec/gdm-session-worker" hostname=kitten.montclaire.local
addr=? terminal=/dev/tty1 res=success'
Aug 18 18:33:39 kitten.montclaire.local audit[8505]: CRED_ACQ pid=8505
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
msg='op=PAM:setcred grantors=pam_localuser,pam_unix,pam_gnome_keyring
acct="louisgtwo" exe="/usr/libexec/gdm-session-worker"
hostname=kitten.montclaire.local addr=? terminal=/dev/tty1 res=success'
Aug 18 18:33:39 kitten.montclaire.local audit[8512]: USER_ACCT pid=8512
uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="louisgtwo"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 18 18:33:39 kitten.montclaire.local systemd[8512]:
pam_unix(systemd-user:session): session opened for user louisgtwo by (uid=0)
Aug 18 18:33:39 kitten.montclaire.local audit[8512]: USER_START pid=8512
uid=0 auid=1000 ses=7 subj=system_u:system_r:init_t:s0
msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_
keyinit,pam_limits,pam_systemd,pam_unix,pam_sss acct="louisgtwo"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 18 18:33:40 kitten.montclaire.local gdm-password][8505]:
pam_unix(gdm-password:session): session opened for user louisgtwo by
louisgtwo(uid=0)
Aug 18 18:33:40 kitten.montclaire.local audit[8505]: USER_START pid=8505
uid=0 auid=1000 ses=6 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_
keyinit,pam_namespace,pam_keyinit,pam_limits,pam_
systemd,pam_unix,pam_sss,pam_gnome_keyring acct="louisgtwo"
exe="/usr/libexec/gdm-session-worker" hostname=kitten.montclaire.local
addr=? terminal=/dev/tty2 res=success'
Aug 18 18:34:21 kitten.montclaire.local audit[9330]: USER_AUTH pid=9330
uid=1000 auid=1000 ses=7
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:authentication grantors=pam_unix acct="root"
exe="/usr/bin/su"
hostname=kitten.montclaire.local addr=? terminal=pts/0 res=success'
Aug 18 18:34:21 kitten.montclaire.local audit[9330]: USER_ACCT pid=9330
uid=1000 auid=1000 ses=7
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root"
exe="/usr/bin/su" hostname=kitten.montclaire.local addr=? terminal=pts/0
res=success'
Aug 18 18:34:21 kitten.montclaire.local audit[9330]: CRED_ACQ pid=9330
uid=1000 auid=1000 ses=7
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:setcred grantors=pam_unix acct="root"
exe="/usr/bin/su"
hostname=kitten.montclaire.local addr=? terminal=pts/0 res=success'
Aug 18 18:34:21 kitten.montclaire.local su[9330]: pam_systemd(su:session):
Cannot create session: Already occupied by a session
Aug 18 18:34:21 kitten.montclaire.local su[9330]: pam_unix(su:session):
session opened for user root by (uid=1000)
Aug 18 18:34:21 kitten.montclaire.local audit[9330]: USER_START pid=9330
uid=1000 auid=1000 ses=7
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix
acct="root" exe="/usr/bin/su" hostname=kitten.montclaire.local addr=?
terminal=pts/0 res=success'
3:45 a.m.
New subject: SSSD user mailing list: Unable to login to my kerberos realm
On (18/08/17 18:58), Louis Garcia wrote:
On Fri, Aug 18, 2017 at 5:03 PM, Lukas Slebodnik
<lslebodn(a)redhat.com>
wrote:
> On (18/08/17 15:37), Louis Garcia wrote:
> >On Fri, Aug 18, 2017 at 12:54 PM, Louis Garcia <louisgtwo(a)gmail.com>
> wrote:
> >
> >> On Fri, Aug 18, 2017 at 12:24 PM, Louis Garcia <louisgtwo(a)gmail.com>
> >> wrote:
> >>
> >>> On Fri, Aug 18, 2017 at 11:58 AM, Louis Garcia
<louisgtwo(a)gmail.com>
> >>> wrote:
> >>>
> >>>> On Fri, Aug 18, 2017 at 4:08 AM, Jakub Hrozek
<jhrozek(a)redhat.com>
> >>>> wrote:
> >>>>
> >>>>> On Fri, Aug 18, 2017 at 08:42:34AM +0200, Lukas Slebodnik
wrote:
> >>>>> > On (17/08/17 12:38), Louis Garcia wrote:
> >>>>> > >Sorry to mail you directly but I think the sssd user
mailing list
> is
> >>>>> not
> >>>>> > >accepting my emails. I replied twice to this thread
yesterday and
> >>>>> both
> >>>>> > >bounced.
> >>>>> > >
> >>>>> >
> >>>>>
> >>>>> > I have no idea why you have problems to send a mails
there.
> >>>>>
> >>>>> Sorry, this is partially my fault. I should be watching the
> moderation
> >>>>> queue, but lately we've been getting so much spam (sometimes
one spam
> >>>>> attempt per hour) that I overlooked your e-mail.
> >>>>>
> >>>>> You can subscribe to the list and then your messages will go
right to
> >>>>> the list w/o the moderation queue!
> >>>>>
> >>>>
> >>>> sssd-users-request(a)lists.fedorahosted.org
> >>>> Aug 15 (3 days ago)
> >>>>
> >>>>
> >>>> to me
> >>>> Welcome to the "sssd-users" mailing list!
> >>>>
> >>>
> >>> I subscribed here: https://lists.fedorahosted.org
> >>> /admin/lists/sssd-users.lists.fedorahosted.org/ and I receive all
> emails
> >>> from the list but I don't have a user account.
> >>> How do I properly subscribe?
> >>>
> >>>
> >> I test by login out of gnome and login back in. After I open a terminal
> >> and run klist
> >>
> >> klist: Credentials cache keyring 'persistent:1000:1000' not found
> >>
> >> Then I need to kinit and if I klist again
> >>
> >> Ticket cache: KEYRING:persistent:1000:1000
> >> Default principal: louisgtwo(a)MONTCLAIRE.LOCAL
> >>
> >> Valid starting Expires Service principal
> >> 08/18/2017 12:33:50 08/19/2017 12:33:33 krbtgt/MONTCLAIRE.LOCAL@
> >> MONTCLAIRE.LOCAL
> >>
> >>
> >> after that I can ssh and mount nfs4 krb5p. I want to receive my ticket
> >> when I login.
> >>
> >> I am not sure how to search journald. I used 'journalctl -u pam'
with no
> >> effect
> >>
> IMHO the simplest would be following command.
> journalctl --since=-30min | grep pam_
>
>
> >> #cat /etc/pam.d/system-auth
> >> #%PAM-1.0
> >> # This file is auto-generated.
> >> # User changes will be destroyed the next time authconfig is run.
> >> auth required pam_env.so
> >> auth required pam_faildelay.so delay=2000000
> >> auth sufficient pam_fprintd.so
> >> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid
> >=
> >> 1000 quiet
> >> auth [default=1 ignore=ignore success=ok] pam_localuser.so
> >> auth sufficient pam_unix.so nullok try_first_pass
> >> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> >> auth sufficient pam_sss.so forward_pass
> >> auth required pam_deny.so
> >>
> >> account required pam_unix.so
> >> account sufficient pam_localuser.so
> >> account sufficient pam_succeed_if.so uid < 1000 quiet
> >> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> >> account required pam_permit.so
> >>
> >> password requisite pam_pwquality.so try_first_pass
> local_users_only
> >> retry=3 authtok_type=
> >> password sufficient pam_unix.so sha512 shadow nullok
> try_first_pass
> >> use_authtok
> >> password sufficient pam_sss.so use_authtok
> >> password required pam_deny.so
> >>
> >> session optional pam_keyinit.so revoke
> >> session required pam_limits.so
> >> -session optional pam_systemd.so
> >> session [success=1 default=ignore] pam_succeed_if.so service in
> crond
> >> quiet use_uid
> >> session required pam_unix.so
> >> session optional pam_sss.so
> >>
> >> # cat /etc/pam.d/password-auth
> >> #%PAM-1.0
> >> # This file is auto-generated.
> >> # User changes will be destroyed the next time authconfig is run.
> >> auth required pam_env.so
> >> auth required pam_faildelay.so delay=2000000
> >> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid
> >=
> >> 1000 quiet
> >> auth [default=1 ignore=ignore success=ok] pam_localuser.so
> >> auth sufficient pam_unix.so nullok try_first_pass
> >> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> >> auth sufficient pam_sss.so forward_pass
> >> auth required pam_deny.so
> >>
> >> account required pam_unix.so
> >> account sufficient pam_localuser.so
> >> account sufficient pam_succeed_if.so uid < 1000 quiet
> >> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> >> account required pam_permit.so
> >>
> >> password requisite pam_pwquality.so try_first_pass
> local_users_only
> >> retry=3 authtok_type=
> >> password sufficient pam_unix.so sha512 shadow nullok
> try_first_pass
> >> use_authtok
> >> password sufficient pam_sss.so use_authtok
> >> password required pam_deny.so
> >>
> >> session optional pam_keyinit.so revoke
> >> session required pam_limits.so
> >> -session optional pam_systemd.so
> >> session [success=1 default=ignore] pam_succeed_if.so service in
> crond
> >> quiet use_uid
> >> session required pam_unix.so
> >> session optional pam_sss.so
> >>
> >>
> >do I need to login to gdm with my domain realm? louisgtwo(a)montclaire.local
> >??
> It should not be related to your issue. But realm is usually uppercase.
>
> uppercase doesn't work either.
> You use id_provider files + auth_provider krb5.
>
If I remove id_provider files and auth_provider krb5 is not working I will
be locked out?
If I switch the domains will sssd search krb5 first?
[domain/files]
auth_provider = krb5
id_provider = files
I assume that local user still have a local password.
Chaging order of lines does not change anything.
> Is local password(in /etc/shadow) the same as you have for
kerberos(passed
> to
> kinit)?
>
> I have a local user/passwd that is the same for kerberos, this is how I
login now. I believe their is a bug for this.
https://bugzilla.redhat.com/show_bug.cgi?id=1429843
That BZ used totally different configuration and I already wrote it in ticket.
You cannot hit this bug.
If I delete the passwd from the local box my account will not show up
in
gdm login screen.
Yes I have tried this and could not login going through 'not listed?'. I
would rather get sssd working before I remove the local account.
I am not familiar with gdm but I assume you can manually type user there.
And if gdb does not remember manually typed user next time then it sounds
like a bug in gdm.
LS
3:57 a.m.
New subject: SSSD user mailing list: Unable to login to my kerberos realm
I think it would be better to start from scratch:
Please answer to following question:
Is your local password the same as kerberos password?
And much simpler would be to test without gdm.
Please open one console as *root* and run following command
sh# journalctl -f > my_journal_output.log
Open another console as *ordinary user* and run following commands just with you user:
sh$ date
Sat Aug 19 10:41:36 CEST 2017
sh$ kdestroy -A
# use kerberos password for test_user
sh$ su - test_user
Password:
sh$ klist
Ticket cache: FILE:/tmp/ccache_gjwisq
Default principal: test_user(a)EXAMPLE.COM
Valid starting Expires Service principal
08/19/2017 10:42:17 08/19/2017 20:42:17 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
sh$ date
Sat Aug 19 10:42:21 CEST 2017
Then jump to the 1st terminal and stop command (ctrl-c).
+ run following command
sh# ps aux | grep ss[s]
root 29712 0.0 0.0 277304 9672 ? Ss Aug18 0:00 /usr/sbin/sssd -i -f
root 29715 0.0 0.0 296268 13240 ? S Aug18 0:00
/usr/libexec/sssd/sssd_be --domain files.example --uid 0 --gid 0 --debug-to-files
root 29717 0.0 0.2 282388 33156 ? S Aug18 0:00
/usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
root 29718 0.0 0.0 262040 8624 ? S Aug18 0:00
/usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
And then attach sssd.conf, my_journal_output.log and sssd log files.
If you are not subscribed to sssd-users then write mail directly to me
and add sssd-users to cc. I will get mail even though it will be blocked
in sssd-users moderation queue.
LS
4:01 a.m.
New subject: SSSD user mailing list: Unable to login to my kerberos realm
On (19/08/17 10:57), Lukas Slebodnik wrote:
I think it would be better to start from scratch:
Please answer to following question:
Is your local password the same as kerberos password?
And much simpler would be to test without gdm.
Please open one console as *root* and run following command
sh# journalctl -f > my_journal_output.log
Open another console as *ordinary user* and run following commands just with you user:
sh$ date
Sat Aug 19 10:41:36 CEST 2017
sh$ kdestroy -A
# use kerberos password for test_user
sh$ su - test_user
Password:
sh$ klist
Ticket cache: FILE:/tmp/ccache_gjwisq
Default principal: test_user(a)EXAMPLE.COM
Valid starting Expires Service principal
08/19/2017 10:42:17 08/19/2017 20:42:17 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
sh$ date
Sat Aug 19 10:42:21 CEST 2017
Then jump to the 1st terminal and stop command (ctrl-c).
+ run following command
sh# ps aux | grep ss[s]
root 29712 0.0 0.0 277304 9672 ? Ss Aug18 0:00 /usr/sbin/sssd -i -f
root 29715 0.0 0.0 296268 13240 ? S Aug18 0:00
/usr/libexec/sssd/sssd_be --domain files.example --uid 0 --gid 0 --debug-to-files
root 29717 0.0 0.2 282388 33156 ? S Aug18 0:00
/usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
root 29718 0.0 0.0 262040 8624 ? S Aug18 0:00
/usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
And then attach sssd.conf, my_journal_output.log and sssd log files.
BTW here is the most important part of my_journal_output.log
on my system.
Aug 19 10:59:19 host.example.com su[32502]: pam_unix(su-l:auth): authentication failure;
logname=test_user uid=1000 euid=0 tty=pts/18 ruser=test_user rhost= user=test_user
Aug 19 10:59:20 host.example.com su[32502]: pam_sss(su-l:auth): authentication success;
logname=test_user uid=1000 euid=0 tty=pts/18 ruser=test_user rhost= user=test_user
LS
1:45 p.m.
New subject: SSSD user mailing list: Unable to login to my kerberos realm
On Sat, Aug 19, 2017 at 5:01 AM, Lukas Slebodnik <lslebodn(a)redhat.com>
wrote:
On (19/08/17 10:57), Lukas Slebodnik wrote:
>I think it would be better to start from scratch:
You did tell me that I was not hitting that RH bug. Sorry.
>
>Please answer to following question:
>Is your local password the same as kerberos password?
Yes
>And much simpler would be to test without gdm.
I switched tty, instead of logging on through gdm I logged on at the
console with same result.
>
>Please open one console as *root* and run following command
> sh# journalctl -f > my_journal_output.log
>
>Open another console as *ordinary user* and run following commands just
with you user:
>
> sh$ date
> Sat Aug 19 10:41:36 CEST 2017
>
> sh$ kdestroy -A
>
> # use kerberos password for test_user
> sh$ su - test_user
> Password:
>
> sh$ klist
> Ticket cache: FILE:/tmp/ccache_gjwisq
> Default principal: test_user(a)EXAMPLE.COM
>
> Valid starting Expires Service principal
> 08/19/2017 10:42:17 08/19/2017 20:42:17 krbtgt/
EXAMPLE.COM(a)EXAMPLE.COM
>
> sh$ date
> Sat Aug 19 10:42:21 CEST 2017
>
>
>
>Then jump to the 1st terminal and stop command (ctrl-c).
>+ run following command
> sh# ps aux | grep ss[s]
> root 29712 0.0 0.0 277304 9672 ? Ss Aug18 0:00
/usr/sbin/sssd -i -f
> root 29715 0.0 0.0 296268 13240 ? S Aug18 0:00
/usr/libexec/sssd/sssd_be --domain files.example --uid 0 --gid 0
--debug-to-files
> root 29717 0.0 0.2 282388 33156 ? S Aug18 0:00
/usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
> root 29718 0.0 0.0 262040 8624 ? S Aug18 0:00
/usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
>
>
>And then attach sssd.conf, my_journal_output.log and sssd log files.
>
BTW here is the most important part of my_journal_output.log
on my system.
Aug 19 10:59:19 host.example.com su[32502]: pam_unix(su-l:auth):
authentication failure; logname=test_user uid=1000 euid=0 tty=pts/18
ruser=test_user rhost= user=test_user
Aug 19 10:59:20 host.example.com su[32502]: pam_sss(su-l:auth):
authentication success; logname=test_user uid=1000 euid=0 tty=pts/18
ruser=test_user rhost= user=test_user
I do not see this in my log. I still believe sssd is not getting my login
info.
it's going straight to pam and local user.
Jakub made it look oh so easy. https://www.youtube.com/watch?v=qEsBVckPpk4
Thank you for helping me these weeks. This should not be that hard.
LS
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
#cat /etc/sssd/sssd.conf
[sssd]
domains = files
services = nss, pam
[pam]
debug_level = 9
[domain/files]
id_provider = files
auth_provider = krb5
debug_level = 9
krb5_server = panther.montclaire.local
krb5_realm = MONTCLAIRE.LOCAL
krb5_store_password_if_offline = True
cache_credentials = True
2:22 a.m.
New subject: SSSD user mailing list: Unable to login to my kerberos realm
On (19/08/17 14:45), Louis Garcia wrote:
On Sat, Aug 19, 2017 at 5:01 AM, Lukas Slebodnik
<lslebodn(a)redhat.com>
wrote:
> On (19/08/17 10:57), Lukas Slebodnik wrote:
> >I think it would be better to start from scratch:
>
You did tell me that I was not hitting that RH bug. Sorry.
> >
> >Please answer to following question:
> >Is your local password the same as kerberos password?
>
Yes
And this is the main problem why it does not work for you.
Because pam_unix will be used as the first one.
And I would not recommend to change order of modules pam stack manually.
Your local account should have different password or should not have password
at all. Otherwise such setup will not work for you.
LS
1:53 p.m.
New subject: SSSD user mailing list: Unable to login to my kerberos realm
On Mon, Aug 21, 2017 at 3:22 AM, Lukas Slebodnik <lslebodn(a)redhat.com>
wrote:
On (19/08/17 14:45), Louis Garcia wrote:
>On Sat, Aug 19, 2017 at 5:01 AM, Lukas Slebodnik <lslebodn(a)redhat.com>
>wrote:
>
>> On (19/08/17 10:57), Lukas Slebodnik wrote:
>> >I think it would be better to start from scratch:
>>
>You did tell me that I was not hitting that RH bug. Sorry.
>
>
>> >
>> >Please answer to following question:
>> >Is your local password the same as kerberos password?
>>
>Yes
>
And this is the main problem why it does not work for you.
Because pam_unix will be used as the first one.
And I would not recommend to change order of modules pam stack manually.
Your local account should have different password or should not have
password
at all. Otherwise such setup will not work for you.
LS
Hey we are finally getting somewhere.
If I delete my local account I can't login at all. I added my local account
back but with no password and I was able to login and get my kerberos
ticket.
So with this setup I still need a local account an every box I use, with no
password or different then the kerberos one? I thought I could centrally
manage my user accounts and passwords with kerberos?
Do I need something like freeipa? Might be a bit out bounds for this list.
Thank you for your help.
<sssd-users(a)lists.fedorahosted.org>
2:08 p.m.
New subject: SSSD user mailing list: Unable to login to my kerberos realm
On Mon, Aug 21, 2017 at 02:53:39PM -0400, Louis Garcia wrote:
On Mon, Aug 21, 2017 at 3:22 AM, Lukas Slebodnik
<lslebodn(a)redhat.com>
wrote:
> On (19/08/17 14:45), Louis Garcia wrote:
> >On Sat, Aug 19, 2017 at 5:01 AM, Lukas Slebodnik <lslebodn(a)redhat.com>
> >wrote:
> >
> >> On (19/08/17 10:57), Lukas Slebodnik wrote:
> >> >I think it would be better to start from scratch:
> >>
> >You did tell me that I was not hitting that RH bug. Sorry.
> >
> >
> >> >
> >> >Please answer to following question:
> >> >Is your local password the same as kerberos password?
> >>
> >Yes
> >
>
> And this is the main problem why it does not work for you.
>
> Because pam_unix will be used as the first one.
> And I would not recommend to change order of modules pam stack manually.
>
> Your local account should have different password or should not have
> password
> at all. Otherwise such setup will not work for you.
>
> LS
>
Hey we are finally getting somewhere.
If I delete my local account I can't login at all. I added my local account
back but with no password and I was able to login and get my kerberos
ticket.
So with this setup I still need a local account an every box I use, with no
password or different then the kerberos one?
I thought I could centrally
manage my user accounts and passwords with kerberos?
Well, kerberos doesn't provide an OS-level identity. So even with
Kerberos, you still need some entity that defines the username, the UID,
GID, shell etc. Here it's a line in /etc/passwd, with IPA it would be an
entry with LDAP. Then you need a way to map the Kerberos principals to
these identities, often as easy as saying "OS-level username + REALM
name = Kerberos principal".
Do I need something like freeipa? Might be a bit out bounds for this list.
Thank you for your help.
It really depends on your use-case. I think the user in files + Kerberos
authentication is fine for a single workstation, but for multiple
machines, I would go with the FreeIPA/AD/whatever route.
7:45 p.m.
New subject: SSSD user mailing list: Unable to login to my kerberos realm
On Fri, Aug 18, 2017 at 5:03 PM, Lukas Slebodnik <lslebodn(a)redhat.com>
wrote:
On (18/08/17 15:37), Louis Garcia wrote:
>On Fri, Aug 18, 2017 at 12:54 PM, Louis Garcia <louisgtwo(a)gmail.com>
wrote:
>
>> On Fri, Aug 18, 2017 at 12:24 PM, Louis Garcia <louisgtwo(a)gmail.com>
>> wrote:
>>
>>> On Fri, Aug 18, 2017 at 11:58 AM, Louis Garcia <louisgtwo(a)gmail.com>
>>> wrote:
>>>
>>>> On Fri, Aug 18, 2017 at 4:08 AM, Jakub Hrozek
<jhrozek(a)redhat.com>
>>>> wrote:
>>>>
>>>>> On Fri, Aug 18, 2017 at 08:42:34AM +0200, Lukas Slebodnik wrote:
>>>>> > On (17/08/17 12:38), Louis Garcia wrote:
>>>>> > >Sorry to mail you directly but I think the sssd user
mailing list
is
>>>>> not
>>>>> > >accepting my emails. I replied twice to this thread
yesterday and
>>>>> both
>>>>> > >bounced.
>>>>> > >
>>>>> >
>>>>>
>>>>> > I have no idea why you have problems to send a mails there.
>>>>>
>>>>> Sorry, this is partially my fault. I should be watching the
moderation
>>>>> queue, but lately we've been getting so much spam (sometimes one
spam
>>>>> attempt per hour) that I overlooked your e-mail.
>>>>>
>>>>> You can subscribe to the list and then your messages will go right
to
>>>>> the list w/o the moderation queue!
>>>>>
>>>>
>>>> sssd-users-request(a)lists.fedorahosted.org
>>>> Aug 15 (3 days ago)
>>>>
>>>>
>>>> to me
>>>> Welcome to the "sssd-users" mailing list!
>>>>
>>>
>>> I subscribed here: https://lists.fedorahosted.org
>>> /admin/lists/sssd-users.lists.fedorahosted.org/ and I receive all
emails
>>> from the list but I don't have a user account.
>>> How do I properly subscribe?
>>>
>>>
>> I test by login out of gnome and login back in. After I open a terminal
>> and run klist
>>
>> klist: Credentials cache keyring 'persistent:1000:1000' not found
>>
>> Then I need to kinit and if I klist again
>>
>> Ticket cache: KEYRING:persistent:1000:1000
>> Default principal: louisgtwo(a)MONTCLAIRE.LOCAL
>>
>> Valid starting Expires Service principal
>> 08/18/2017 12:33:50 08/19/2017 12:33:33 krbtgt/MONTCLAIRE.LOCAL@
>> MONTCLAIRE.LOCAL
>>
>>
>> after that I can ssh and mount nfs4 krb5p. I want to receive my ticket
>> when I login.
>>
>> I am not sure how to search journald. I used 'journalctl -u pam' with
no
>> effect
>>
IMHO the simplest would be following command.
journalctl --since=-30min | grep pam_
>> #cat /etc/pam.d/system-auth
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required pam_env.so
>> auth required pam_faildelay.so delay=2000000
>> auth sufficient pam_fprintd.so
>> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid
>=
>> 1000 quiet
>> auth [default=1 ignore=ignore success=ok] pam_localuser.so
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
>> auth sufficient pam_sss.so forward_pass
>> auth required pam_deny.so
>>
>> account required pam_unix.so
>> account sufficient pam_localuser.so
>> account sufficient pam_succeed_if.so uid < 1000 quiet
>> account [default=bad success=ok user_unknown=ignore] pam_sss.so
>> account required pam_permit.so
>>
>> password requisite pam_pwquality.so try_first_pass
local_users_only
>> retry=3 authtok_type=
>> password sufficient pam_unix.so sha512 shadow nullok
try_first_pass
>> use_authtok
>> password sufficient pam_sss.so use_authtok
>> password required pam_deny.so
>>
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> -session optional pam_systemd.so
>> session [success=1 default=ignore] pam_succeed_if.so service in
crond
>> quiet use_uid
>> session required pam_unix.so
>> session optional pam_sss.so
>>
>> # cat /etc/pam.d/password-auth
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required pam_env.so
>> auth required pam_faildelay.so delay=2000000
>> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid
>=
>> 1000 quiet
>> auth [default=1 ignore=ignore success=ok] pam_localuser.so
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
>> auth sufficient pam_sss.so forward_pass
>> auth required pam_deny.so
>>
>> account required pam_unix.so
>> account sufficient pam_localuser.so
>> account sufficient pam_succeed_if.so uid < 1000 quiet
>> account [default=bad success=ok user_unknown=ignore] pam_sss.so
>> account required pam_permit.so
>>
>> password requisite pam_pwquality.so try_first_pass
local_users_only
>> retry=3 authtok_type=
>> password sufficient pam_unix.so sha512 shadow nullok
try_first_pass
>> use_authtok
>> password sufficient pam_sss.so use_authtok
>> password required pam_deny.so
>>
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> -session optional pam_systemd.so
>> session [success=1 default=ignore] pam_succeed_if.so service in
crond
>> quiet use_uid
>> session required pam_unix.so
>> session optional pam_sss.so
>>
>>
>do I need to login to gdm with my domain realm? louisgtwo(a)montclaire.local
>??
It should not be related to your issue. But realm is usually uppercase.
You use id_provider files + auth_provider krb5.
You said sssd by default serves files. Once I get krb5 auth working local
accounts will be removed.
I assume that local user still have a local password.
Is local password(in /etc/shadow) the same as you have for kerberos(passed
to
kinit)?
BTW if you still have local password then you will be able to login
with both passwords. But only logging with krb5 password will obtain
ticket for
you. otherwise pam_unix will be used an not pam_sss.
If you have root password then you can delete local password with
passwd --delete $local_user.
So you will not use local password by mistake for login.
LS
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
2433
days inactive
2436
days old
sssd-users@lists.fedorahosted.org
12 comments
3 participants
participants (3)
-
Jakub Hrozek -
Louis Garcia -
Lukas Slebodnik