Bug 505319
Summary: | FC11 GDM can't authenticate users from LDAP | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | stef <stephane.tranchemer> | ||||
Component: | gdm | Assignee: | jmccann | ||||
Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 11 | CC: | cschalle, evenit, jmccann, rstrode, sharadchandranpt | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-06-11 14:38:24 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
stef
2009-06-11 13:43:11 UTC
extract from /var/log/secure : Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: pam_unix(gdm-password:auth): check pass; user unknown Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: gkr-pam: error looking up user information for: etu-test Jun 11 14:57:26 pmp2412 pam: gdm-fingerprint[4053]: pam_succeed_if(gdm-fingerprint:auth): error retrieving user name: Conversation error Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: pam_unix(gdm-password:auth): check pass; user unknown Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: gkr-pam: error looking up user information for: etu-test Jun 11 15:04:51 pmp2412 pam: gdm-fingerprint[4072]: pam_succeed_if(gdm-fingerprint:auth): error retrieving user name: Conversation error Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: pam_unix(gdm-password:auth): check pass; user unknown Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: gkr-pam: error looking up user information for: etu-test Jun 11 15:14:33 pmp2412 pam: gdm-fingerprint[4918]: pam_succeed_if(gdm-fingerprint:auth): error retrieving user name: Conversation error just if you wonder # id etu-test uid=2352(etu-test) gid=513(Domain Users) groups=513(Domain Users),30031(ETUEET),30046(GENSI),30273(EtuEetA1) Created attachment 347399 [details]
modified files for LDAP authentication
I could grab a colleague engineer and we found the root of the problem. there are new file introduced at some point between FC8 and FC11, to succeed you need to modify the following files : /etc/pam.d/fingerprint-auth add "account sufficient pam_ldap.so" /etc/pam.d/password-auth add "auth sufficient pam_ldap.so use_first_pass" We found a much more elegant solution : edit the kickstart to move to this line : # System authorization information auth --useshadow --passalgo=md5 --enableldap --enableldapauth --ldapserver=ldap://ldap1.doe.com/,ldap://ldap2.doe.com/ --ldapbasedn=dc=doe,dc=com then add this in post-install : /bin/sed -i '/nss_base_passwd/d' /etc/ldap.conf echo "nss_base_passwd ou=User,dc=doe,dc=com?one" >> /etc/ldap.conf I have exactly the same problem, but none of those steps work. I have FC11 with latest updates. User can authenticate in console mode, but not with gdm. Authentication is configured to use LDAP. Here's my /etc/pam.d/password-auth : #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so I had included a typo in my config. Everything works fine. Sorry for bugging you. (In reply to Fabien Dupont from comment #7) > I had included a typo in my config. Everything works fine. > Sorry for bugging you. i too have the same issue can you suggest me the resolution? or proper config file ? |