[Freeipa-users] Authenticate on GNOME display manager with freeipa
Hello everyone, I set up my freeIPA instance and it works very well for my client computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a freeIPA managed user account. My own HBAC rule also works for that. I disabled the "allow all" rule and created my own one. Works fine for SSH. But I cannot login to the GNOME 3 Desktop on the client. I used the netinstall ISO image of Ubuntu. During installation, I have chose "Ubuntu GNOME Desktop" as the only desktop. So my display manager is gdm3. I added the "gdm" and "gdm-password" services to my HBAC rule. To be on the safe side, I rebooted the client machine. But I still can't login to the GNOME Desktop with an account that can login via SSH. So the services in my rule are login, gdm, gdm-password If you need any logs or other information, I will provide them. Thanks in advance! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
I have attached the syslog with gdm debug mode enabled On 11-May-17 1:54 PM, Sumit Bose wrote: > On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuch...@gmail.com wrote: >> Hello, >> >> I have attached the requested files. > The logs indicate that access was granted by SSSD and that gdm even > called pam_open_session. > > Did gdm login worked with the 'allow all' rule? Are there any other > hints in the system or gdm logs with gdm might have failed? > > bye, > Sumit > >> Thanks in advance! >> >> On 10-May-17 9:42 PM, Sumit Bose wrote: >>> On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuch...@gmail.com >>> wrote: >>>> Hello everyone, >>>> >>>> I set up my freeIPA instance and it works very well for my client >>>> computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a >>>> freeIPA managed user account. >>>> >>>> My own HBAC rule also works for that. I disabled the "allow all" rule >>>> and created my own one. Works fine for SSH. >>>> >>>> But I cannot login to the GNOME 3 Desktop on the client. I used the >>>> netinstall ISO image of Ubuntu. During installation, I have chose >>>> "Ubuntu GNOME Desktop" as the only desktop. >>>> >>>> So my display manager is gdm3. >>>> >>>> I added the "gdm" and "gdm-password" services to my HBAC rule. To be on >>>> the safe side, I rebooted the client machine. But I still can't login to >>>> the GNOME Desktop with an account that can login via SSH. >>>> >>>> So the services in my rule are >>>> >>>> login, gdm, gdm-password >>>> >>>> If you need any logs or other information, I will provide them. >>> Please send sssd_pam.log and sssd_domain.name.log with debug_level=10 in >>> the [pam] and [domain/...] section of sssd.conf. >>> >>> bye, >>> Sumit >>> >>>> Thanks in advance! >>>> >>>> >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project May 11 23:41:44 ubugdm systemd[1189]: Time has been changed May 11 23:41:44 ubugdm systemd[1387]: Time has been changed May 11 23:41:44 ubugdm systemd[1]: Time has been changed May 11 23:41:44 ubugdm systemd[1]: snapd.refresh.timer: Adding 1h 29min 52.376524s random time. May 11 23:41:44 ubugdm systemd[1]: snapd.refresh.timer: Adding 3h 33min 1.143840s random time. May 11 23:41:44 ubugdm systemd[1]: apt-daily.timer: Adding 9h 27min 47.330771s random time. May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:68 May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (WW) FBDEV(0): FBIOPAN_DISPLAY: Invalid argument May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:67 May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:66 May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:65 May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive May 11 23:41:48 ubugdm gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:64 May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (gnome-settings-daemon:1225): color-plugin-WARNING **: unable to get EDID for xrandr-default: unable to get EDID for output May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap compiler (xkbcomp) reports: May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Ignoring extra symbols May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp are not fatal to the X server May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap compiler (xkbcomp) reports: May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Ignoring extra symbols May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp are not fatal to the X server May 11 23:41:48 ubugdm /usr/lib/gdm
Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
Thanks! I followed this manual: https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir added the line sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022 to the file /etc/pam.d/common-session (find attached) On 12-May-17 8:29 AM, Sumit Bose wrote: > On Fri, May 12, 2017 at 12:50:08AM +0200, tuxderlinuxfuch...@gmail.com wrote: >> I have attached the syslog with gdm debug mode enabled >> >> >> On 11-May-17 1:54 PM, Sumit Bose wrote: >>> On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuch...@gmail.com >>> wrote: >>>> Hello, >>>> >>>> I have attached the requested files. >>> The logs indicate that access was granted by SSSD and that gdm even >>> called pam_open_session. >>> >>> Did gdm login worked with the 'allow all' rule? Are there any other >>> hints in the system or gdm logs with gdm might have failed? >>> >>> bye, >>> Sumit >>> >>>> Thanks in advance! >>>> >>>> On 10-May-17 9:42 PM, Sumit Bose wrote: >>>>> On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuch...@gmail.com >>>>> wrote: >>>>>> Hello everyone, >>>>>> >>>>>> I set up my freeIPA instance and it works very well for my client >>>>>> computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a >>>>>> freeIPA managed user account. >>>>>> >>>>>> My own HBAC rule also works for that. I disabled the "allow all" rule >>>>>> and created my own one. Works fine for SSH. >>>>>> >>>>>> But I cannot login to the GNOME 3 Desktop on the client. I used the >>>>>> netinstall ISO image of Ubuntu. During installation, I have chose >>>>>> "Ubuntu GNOME Desktop" as the only desktop. >>>>>> >>>>>> So my display manager is gdm3. >>>>>> >>>>>> I added the "gdm" and "gdm-password" services to my HBAC rule. To be on >>>>>> the safe side, I rebooted the client machine. But I still can't login to >>>>>> the GNOME Desktop with an account that can login via SSH. >>>>>> >>>>>> So the services in my rule are >>>>>> >>>>>> login, gdm, gdm-password >>>>>> >>>>>> If you need any logs or other information, I will provide them. >>>>> Please send sssd_pam.log and sssd_domain.name.log with debug_level=10 in >>>>> the [pam] and [domain/...] section of sssd.conf. >>>>> >>>>> bye, >>>>> Sumit >>>>> >>>>>> Thanks in advance! >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project > >> May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) This device >> may have been added with another device file. >> May 11 23:41:55 ubugdm gdm-x-session: Running session message bus >> May 11 23:41:55 ubugdm gdm3: GdmManager: trying to register new display >> May 11 23:41:55 ubugdm gdm3: GdmSession: Setting display device: /dev/tty2 >> May 11 23:41:55 ubugdm gdm3: using ut_user vmuser1 >> May 11 23:41:55 ubugdm gdm3: Writing login record >> May 11 23:41:55 ubugdm gdm3: using ut_type USER_PROCESS >> May 11 23:41:55 ubugdm gdm3: using ut_tv time 1494538915 >> May 11 23:41:55 ubugdm gdm3: using ut_pid 1741 >> May 11 23:41:55 ubugdm gdm3: using ut_host :1 >> May 11 23:41:55 ubugdm gdm3: using ut_line tty2 >> May 11 23:41:55 ubugdm gdm3: Writing wtmp session record to /var/log/wtmp >> May 11 23:41:55 ubugdm gdm3: Adding or updating utmp record for login >> May 11 23:41:55 ubugdm gdm3: GdmLocalDisplayFactory: display status changed: >> 2 >> May 11 23:41:55 ubugdm gdm-x-session: Running X session >> May 11 23:41:55 ubugdm gdm-x-session: Trying script /etc/gdm3/Prime/:1 >> May 11 23:41:55 ubugdm gdm-x-session: script /etc/gdm3/Prime/:1 not found; >> skipping >> May 11 23:41:55 ubugdm gdm-x-session: Trying script /etc/gdm3/Prime/Default >> May 11 23:41:55 ubugdm gdm-x-session: Running process: >> /etc/gdm3/Prime/Default >> May 11 23:41:55 ubugdm gdm-x-session:
Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
The directory didn't exist On 12-May-17 11:48 AM, Sumit Bose wrote: > On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuch...@gmail.com wrote: >> Thanks! >> >> I followed this manual: >> https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir >> >> added the line >> >> sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022 >> >> to the file /etc/pam.d/common-session (find attached) >> >> > Have you checked if /home/vmuser1 exists and has the right permissions > so that the user can create files in the directory? > > bye, > Sumit > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
It worked with pam_mkhomedir. So I don't see anything left to do at the moment On 12-May-17 12:52 PM, Sumit Bose wrote: > On Fri, May 12, 2017 at 12:11:28PM +0200, tuxderlinuxfuch...@gmail.com wrote: >> The directory didn't exist > Then I guess that the process doesn't has the needed permissions during > the session phase anymore. Please try to replace pam_mkhomedir by > pam_oddjob_mkhomedir. This will try to create the directory via oddjobd > which runs with higher privileges. > > HTH > > bye, > Sumit > >> >> On 12-May-17 11:48 AM, Sumit Bose wrote: >>> On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuch...@gmail.com >>> wrote: >>>> Thanks! >>>> >>>> I followed this manual: >>>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir >>>> >>>> added the line >>>> >>>> sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022 >>>> >>>> to the file /etc/pam.d/common-session (find attached) >>>> >>>> >>> Have you checked if /home/vmuser1 exists and has the right permissions >>> so that the user can create files in the directory? >>> >>> bye, >>> Sumit >>> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
