Perhaps you need to add a HBAC Service for lightdm. At least, that's what I did. And also to add that service in the HBAC rules for the hosts on which the users may login.
On 28-02-17 21:01, Jakub Hrozek wrote: > On Tue, Feb 28, 2017 at 06:13:42PM +0100, Karl Forner wrote: >> I just registered a new computer running ubuntu to our freeIPA system. >> Some users (all I tried except me) are not able to login using lightdm. >> >> The message on screen is "Permission denied". >> On the system the user (joe) is created, its home directory also, but it >> only contains a .kde/ subdir and a .bash_history. >> >> On my session, if I type: >> $sudo su - joe >> I get: >> su: Permission denied >> (Ignored) >> >> >> The only log file that is modified is /var/log/auth.log. >> The relevant lines during the graphical login are: >> >> Feb 28 16:44:29 nyx lightdm: pam_unix(lightdm:auth): authentication >> failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=joe >> Feb 28 16:44:41 nyx lightdm: pam_sss(lightdm:auth): authentication success; >> logname= uid=0 euid=0 tty=:0 ruser= rhost= user=joe >> Feb 28 16:44:41 nyx lightdm: pam_kwallet(lightdm:auth): pam_sm_authenticate >> Feb 28 16:44:43 nyx lightdm: pam_sss(lightdm:account): Access denied for >> user joe: 6 (Permission denied) >> Feb 28 16:44:54 nyx lightdm: pam_succeed_if(lightdm:auth): requirement >> "user ingroup nopasswdlogin" not met by user "joe" >> >> The relevant lines during the "sudo su - joe": >> Feb 28 16:48:32 nyx su[26394]: pam_sss(su:account): Access denied for user >> joe: 6 (Permission denied) > You need to enable SSSD debugging: > https://fedorahosted.org/sssd/wiki/Troubleshooting > and check the sssd logs, probably the HBAC access control is kicking you > out. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
