On 08/20/2014 04:29 PM, alireza baghery wrote:
yes right. ipa trust relation with AD and subdomain AD. yes gde produce log
It seems that you have some custom polkit policy that fails to load. Did you play with some polkit policies?
On Wed, Aug 20, 2014 at 5:27 PM, Dmitri Pal <[email protected] <mailto:[email protected]>> wrote:On 08/20/2014 01:45 PM, alireza baghery wrote:hi Having a particularly weird problem. We have moved from AD(windows 2008 R2) to ipa server(centos 6.5). and i integrated ipa with AD machine linux joined with ipa and machine windowse joined with AD. users AD can loggin in cli mode in system linux (centos 6.5) but can not in GUI mod logginDo I get it right: User from AD walks to a desktop console of the Linux system joined into IPA that is in trust relations with AD and the GDE produces the following log?error message in file /var/log/security ---------------------------------------------------------------------------------- pam: gdm-password[2685]: pam_unix(gdm-password:auth): authentication failure: logname= uid=0 euid=0 tty=:0 ruser= rhost= rhost= user=sallea@AD pam: gdm-password[2685]: pam_sss(gdm-password:auth): user info message: your password will expire in 40 day pam: gdm-password[2685]:pam_sss( gdm-password:auth): authenticate success: logname= uid=0 euid=0 tty=:0 ruser= rhost= rhost= user=sallea@AD pam: gdm-password[2685]:pam_unix (gdm-password:session): session opened for user sallea@AD by (uid=0) polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session4 (system bus name :1.116 , object path /org/gnome/PolcyKit1/AuthenticationAgent, - Ignored: local en_US) (disconnected from bus) pam: gdm-password[2685]: pam_unix (gdm-password:session): session closed for user sallea@AD ------------------------------------------------------ and context file /etc/pam.d/password-auth ----------------------------------- auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session require pam_sss.so -------------------------------------- how to solve this problem? thanks-- Thank you,Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
