yes right. ipa trust relation with AD and subdomain AD. yes gde produce log
On Wed, Aug 20, 2014 at 5:27 PM, Dmitri Pal <[email protected]> wrote: > On 08/20/2014 01:45 PM, alireza baghery wrote: > > hi > Having a particularly weird problem. We have moved from AD(windows > 2008 R2) > to ipa server(centos 6.5). and i integrated ipa with AD > machine linux joined with ipa and machine windowse joined with AD. > users AD can loggin in cli mode in system linux (centos 6.5) > but can not in GUI mod loggin > > > > Do I get it right: > > User from AD walks to a desktop console of the Linux system joined into > IPA that is in trust relations with AD and the GDE produces the following > log? > > > error message in file /var/log/security > > ---------------------------------------------------------------------------------- > pam: gdm-password[2685]: pam_unix(gdm-password:auth): > authentication failure: logname= uid=0 euid=0 tty=:0 ruser= rhost= > rhost= user=sallea@AD > pam: gdm-password[2685]: pam_sss(gdm-password:auth): > user info message: your password will expire in 40 day > pam: gdm-password[2685]:pam_sss( > gdm-password:auth): > authenticate success: logname= uid=0 euid=0 tty=:0 ruser= rhost= > rhost= user=sallea@AD > pam: gdm-password[2685]:pam_unix (gdm-password:session): > session opened for user sallea@AD by (uid=0) > polkitd(authority=local): Unregistered Authentication > Agent for session /org/freedesktop/ConsoleKit/Session4 (system bus > name :1.116 , object path /org/gnome/PolcyKit1/AuthenticationAgent, > > - Ignored: > local en_US) (disconnected from bus) > > pam: gdm-password[2685]: pam_unix (gdm-password:session): > session closed for user sallea@AD > ------------------------------------------------------ > > and context file /etc/pam.d/password-auth > ----------------------------------- > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 type= > password sufficient pam_unix.so sha512 shadow nullok > try_first_pass use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > > session require pam_sss.so > -------------------------------------- > how to solve this problem? > thanks > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
