8><-------- > > Steven, sorry you're having such a hard time with this. Let me see if I > can help point you in the right direction. > > I'm trying to look at the history of this thread, but I'm coming into it > late, so please forgive me if I retread any ground that's already been > covered. > > First, I need to verify that I understand the state from which you're > working. Have you installed FreeIPA from the jdennis.fedorapeople.org > yum repository?
[freeipa-devel] name=FreeIPA Development baseurl=http://freeipa.com/downloads/devel/rpms/F$releasever/$basearch enabled=1 gpgcheck=0 F14 and 64bit. > What version of the RPM packages for freeipa-server, freeipa-client and > sssd do you have? (rpm -q) ">>" 'd output, ============== sssd-1.5.1-9.fc14.x86_64 freeipa-client-2.0.0.rc2-0.fc14.x86_64 freeipa-server-2.0.0.rc2-0.fc14.x86_64 # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files sss publickey: nisplus automount: files aliases: files nisplus [sssd] services = nss, pam config_file_version = 2 domains = ipa.ac.nz [nss] [pam] [domain/ipa.ac.nz] cache_credentials = True ipa_domain = ipa.ac.nz id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, fed14-64-ipam001.ipa.ac.nz [domain/default] cache_credentials = True krb5_realm = IPA.AC.NZ krb5_kdcip = fed14-64-ipam001.ipa.ac.nz:88 auth_provider = krb5 chpass_provider = krb5 krb5_kpasswd = fed14-64-ipam001.ipa.ac.nz:749 debug_level=9 #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so ==================== So I wiped the secure log, logged out and tried to loging. The secure log on the guest maybe interesting, looks like the sssd isnt running on the guest? I restarted it but to no avail, ==================== Mar 9 09:36:54 fed14-64-ipacl01 su: pam_unix(su-l:session): session closed for user root Mar 9 09:36:54 fed14-64-ipacl01 pam: gdm-password[1682]: pam_unix(gdm-password:session): session closed for user jonesst1 Mar 9 09:36:54 fed14-64-ipacl01 pam: gdm-password[1682]: pam_sss(gdm-password:session): Request to sssd failed. Connection refused Mar 9 09:36:54 fed14-64-ipacl01 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.22, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Mar 9 09:36:54 fed14-64-ipacl01 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.40, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Mar 9 09:36:57 fed14-64-ipacl01 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session3 (system bus name :1.65 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Mar 9 09:37:02 fed14-64-ipacl01 pam: gdm-password[2265]: pam_unix(gdm-password:auth): conversation failed Mar 9 09:37:02 fed14-64-ipacl01 pam: gdm-password[2265]: pam_unix(gdm-password:auth): auth could not identify password for [irwinph] Mar 9 09:37:02 fed14-64-ipacl01 pam: gdm-password[2265]: pam_sss(gdm-password:auth): Request to sssd failed. Connection refused Mar 9 09:37:02 fed14-64-ipacl01 pam: gdm-password[2265]: gkr-pam: no password is available for user Mar 9 09:37:10 fed14-64-ipacl01 unix_chkpwd[2279]: password check failed for user (jonesst1) Mar 9 09:37:10 fed14-64-ipacl01 pam: gdm-password[2276]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jonesst1 Mar 9 09:37:10 fed14-64-ipacl01 pam: gdm-password[2276]: pam_sss(gdm-password:auth): Request to sssd failed. Connection refused Mar 9 09:37:22 fed14-64-ipacl01 pam: gdm-password[2284]: pam_unix(gdm-password:session): session opened for user jonesst1 by (uid=0) Mar 9 09:37:22 fed14-64-ipacl01 pam: gdm-password[2284]: pam_sss(gdm-password:session): Request to sssd failed. Connection refused Mar 9 09:37:24 fed14-64-ipacl01 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session4 (system bus name :1.80 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Mar 9 09:37:36 fed14-64-ipacl01 su: pam_unix(su-l:session): session opened for user root by jonesst1(uid=500) =================== regards > I noticed that you mentioned in an earlier email that you were editing > nslcd.conf. This is not the preferred mechanism for setting up a FreeIPA > client (any more). We now use SSSD (and ipa-client-install should be > setting this up for you). > > So what I need to see are the following configuration files: > 1) /etc/nsswitch.conf > 2) /etc/sssd/sssd.conf > 3) /etc/pam.d/system-auth > 4) /etc/pam.d/password-auth (if using GDM) > > Also, to start debugging login problems, the best place to look is in > /var/log/secure, which should report any PAM modules that are denying > access to the account (and the reason why it's being denied). > > Please provide us with the above information and we'll see what we can > do to get you up and running. > > Also, for much faster triage and debugging, you can join the #freeipa > and/or #sssd IRC channels on the irc.freenode.net IRC server and speak > with us directly. My nick on those channels is 'sgallagh'. I will try and get access to freenode again, but security policy might now stop that..........also I used to find that because im in NZ no one responds (in other channels)...wrong time zone. regards _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
