You are not logged in.

Pages: 1

#1 2016-12-01 09:40:02

T_UNIX
Member
Registered: 2016-12-01
Posts: 3

SSSD and gdm

Hi,

I've configured my system as described in https://wiki.archlinux.org/index.php/LD … entication to extend user authentication to incorporate our local ADS. The tty and ssh login work just fine.

I've been using GDM (with sssd via PAM) for quite a while too. However, I removed, reinstalled, removed, reinstalled GDM for multi-monitor related reasons. Somewhen along the way my config files were wiped, it seems, and now I'm a bit lost.

GDM fails to start when used along with sssd (via pam):

$ journalctl -u gdm
-- Logs begin at Thu 2016-12-01 09:56:41 CET, end at Thu 2016-12-01 10:25:53 CET. --
-- Logs begin at Thu 2016-12-01 09:56:41 CET, end at Thu 2016-12-01 10:36:05 CET. --
Dez 01 09:58:01 UML026 systemd[1]: Starting GNOME Display Manager...
Dez 01 09:58:01 UML026 systemd[1]: Started GNOME Display Manager.
Dez 01 09:58:01 UML026 gdm-launch-environment][962]: pam_sss(gdm-launch-environment:account): Access denied for user gdm: 10 (Benutzer bei zu Grunde liegendem Authentifizierungsmodul nicht bekannt)
Dez 01 09:58:02 UML026 gdm[931]: GdmDisplay: display lasted 1,051292 seconds
Dez 01 09:58:02 UML026 gdm[931]: Child process -990 was already dead.
Dez 01 09:58:02 UML026 gdm[931]: Child process 962 was already dead.
Dez 01 09:58:02 UML026 gdm[931]: Unable to kill session worker process
Dez 01 09:58:02 UML026 gdm-launch-environment][1004]: pam_sss(gdm-launch-environment:account): Access denied for user gdm: 10 (Benutzer bei zu Grunde liegendem Authentifizierungsmodul nicht bekannt)
Dez 01 09:58:04 UML026 gdm[931]: GdmDisplay: display lasted 1,440134 seconds
Dez 01 09:58:04 UML026 gdm[931]: Child process -1035 was already dead.
Dez 01 09:58:04 UML026 gdm[931]: Child process 1004 was already dead.
Dez 01 09:58:04 UML026 gdm[931]: Unable to kill session worker process
Dez 01 09:58:04 UML026 gdm-launch-environment][1051]: pam_sss(gdm-launch-environment:account): Access denied for user gdm: 10 (Benutzer bei zu Grunde liegendem Authentifizierungsmodul nicht bekannt)
Dez 01 09:58:05 UML026 gdm[931]: GdmDisplay: display lasted 1,401802 seconds
Dez 01 09:58:05 UML026 gdm[931]: Child process -1080 was already dead.
Dez 01 09:58:05 UML026 gdm[931]: Child process 1051 was already dead.
Dez 01 09:58:05 UML026 gdm[931]: Unable to kill session worker process
Dez 01 09:58:05 UML026 gdm-launch-environment][1096]: pam_sss(gdm-launch-environment:account): Access denied for user gdm: 10 (Benutzer bei zu Grunde liegendem Authentifizierungsmodul nicht bekannt)
Dez 01 09:58:07 UML026 gdm[931]: GdmDisplay: display lasted 1,530849 seconds
Dez 01 09:58:07 UML026 gdm[931]: Child process -1127 was already dead.
Dez 01 09:58:07 UML026 gdm[931]: Child process 1096 was already dead.
Dez 01 09:58:07 UML026 gdm[931]: Unable to kill session worker process
Dez 01 09:58:07 UML026 gdm-launch-environment][1143]: pam_sss(gdm-launch-environment:account): Access denied for user gdm: 10 (Benutzer bei zu Grunde liegendem Authentifizierungsmodul nicht bekannt)
Dez 01 09:58:08 UML026 gdm[931]: GdmDisplay: display lasted 1,425301 seconds
Dez 01 09:58:08 UML026 gdm[931]: Child process -1172 was already dead.
Dez 01 09:58:08 UML026 gdm[931]: Child process 1143 was already dead.
Dez 01 09:58:08 UML026 gdm[931]: Unable to kill session worker process
Dez 01 09:58:08 UML026 gdm-launch-environment][1195]: pam_sss(gdm-launch-environment:account): Access denied for user gdm: 10 (Benutzer bei zu Grunde liegendem Authentifizierungsmodul nicht bekannt)
Dez 01 09:58:10 UML026 gdm[931]: GdmDisplay: display lasted 1,516326 seconds
Dez 01 09:58:10 UML026 gdm[931]: GdmLocalDisplayFactory: maximum number of X display failures reached: check X server log for errors
Dez 01 09:58:10 UML026 gdm[931]: Child process -1227 was already dead.
Dez 01 10:01:48 UML026 systemd[1]: Stopping GNOME Display Manager...
Dez 01 10:01:48 UML026 systemd[1]: Stopped GNOME Display Manager.

The (German) message "Benutzer bei zu Grunde liegendem Authentifizierungsmodul nicht bekannt" translates to "User not known to the underlying authentication module".
That baffles me, because:

getent passwd gdm                                                                                                                                                              Do 01 Dez 2016 10:36:12 CET
gdm:x:120:120:Gnome Display Manager:/var/lib/gdm:/sbin/nologin

shows that gdm is a known user.

Slim, on the other hand, succeeds to start, but I can't login as any of the ADS users. Journalctl tells the following:

$ journalctl -u slim
#snip
Dez 01 10:02:04 UML026 slim[1323]: pam_sss(slim:auth): authentication success; logname= uid=0 euid=0 tty=:0.0 ruser=root rhost= user=some_redacted_ads_username
Dez 01 10:02:04 UML026 slim[1323]: pam_sss(slim:account): Access denied for user some_redacted_ads_username: 6 (Permission denied)
#/snip

For local users, on the other hand, the login succeeds and journald logs:

$ journalctl -u slim
#snip
Dez 01 10:22:29 UML026 slim[3923]: pam_sss(slim:auth): authentication failure; logname= uid=0 euid=0 tty=:0.0 ruser=root rhost= user=leif
Dez 01 10:22:29 UML026 slim[3923]: pam_sss(slim:auth): received for user leif: 10 (User not known to the underlying authentication module)
Dez 01 10:22:29 UML026 slim[3923]: pam_sss(slim:account): Access denied for user leif: 10 (User not known to the underlying authentication module)
Dez 01 10:22:29 UML026 slim[3923]: pam_unix(slim:session): session opened for user leif by (uid=0)
#/snip

Any ideas on how to fix this? I go with the packaged PAM files (aside from the customizations instructed by the wiki article linked above).

Last edited by T_UNIX (2016-12-01 09:51:43)

Offline

#2 2016-12-01 14:00:16

T_UNIX
Member
Registered: 2016-12-01
Posts: 3

Re: SSSD and gdm

In addition: Cinnamon failed to unlock its screensaver even though the password was correct. The only way to unlock the screen was to switch back to GDM (tty1) and log in, again.

Offline

#3 2016-12-07 11:03:16

T_UNIX
Member
Registered: 2016-12-01
Posts: 3

Re: SSSD and gdm

After commenting out the following lines in 

/etc/sssd/sssd.conf

, I was able to login as ADS user via slim:

# access_provider = ad
# ldap_id_mapping = True

I assume that only the access_provider line matters here.

Last edited by T_UNIX (2016-12-07 14:18:42)

Offline

Pages: 1

Board footer

Powered by FluxBB