Bug 505319

Summary: FC11 GDM can't authenticate users from LDAP
Product: [Fedora] Fedora Reporter: stef <stephane.tranchemer>
Component: gdmAssignee: jmccann
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: low    
Version: 11CC: cschalle, evenit, jmccann, rstrode, sharadchandranpt
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-11 14:38:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
modified files for LDAP authentication none

Description stef 2009-06-11 13:43:11 UTC
Description of problem:

We have a LDAP with accounts for our users, until now there never was problem, but with FC11 GDM is unable to authenticate the users.

It works fine if the users logs in from a console.

Version-Release number of selected component (if applicable):

Fedora Core 11
pam-1.0.91-6
nss_ldap-264-2
openldap-2.4.15-3
gdm-2.26.1-10

How reproducible:

Always

Steps to Reproduce:
1.configure your LDAP server
2.try to authenticate with a user on GDM
3.
  
Actual results:

GDM returns "Unable to authenticate user"

Expected results:

user logs in

Additional info:

Comment 1 stef 2009-06-11 13:47:07 UTC
extract from /var/log/secure :

Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: pam_unix(gdm-password:auth): check pass; user unknown
Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= 
Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test
Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test
Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: gkr-pam: error looking up user information for: etu-test
Jun 11 14:57:26 pmp2412 pam: gdm-fingerprint[4053]: pam_succeed_if(gdm-fingerprint:auth): error retrieving user name: Conversation error
Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: pam_unix(gdm-password:auth): check pass; user unknown
Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= 
Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test
Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test
Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: gkr-pam: error looking up user information for: etu-test
Jun 11 15:04:51 pmp2412 pam: gdm-fingerprint[4072]: pam_succeed_if(gdm-fingerprint:auth): error retrieving user name: Conversation error
Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: pam_unix(gdm-password:auth): check pass; user unknown
Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= 
Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test
Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test
Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: gkr-pam: error looking up user information for: etu-test
Jun 11 15:14:33 pmp2412 pam: gdm-fingerprint[4918]: pam_succeed_if(gdm-fingerprint:auth): error retrieving user name: Conversation error

Comment 2 stef 2009-06-11 13:50:31 UTC
just if you wonder

# id etu-test
uid=2352(etu-test) gid=513(Domain Users) groups=513(Domain Users),30031(ETUEET),30046(GENSI),30273(EtuEetA1)

Comment 3 stef 2009-06-11 13:52:15 UTC
Created attachment 347399 [details]
modified files for LDAP authentication

Comment 4 stef 2009-06-11 14:37:15 UTC
I could grab a colleague engineer and we found the root of the problem.

there are new file introduced at some point between FC8 and FC11, to succeed you need to modify the following files :

/etc/pam.d/fingerprint-auth
add "account sufficient pam_ldap.so"

/etc/pam.d/password-auth
add "auth sufficient pam_ldap.so use_first_pass"

Comment 5 stef 2009-06-12 12:43:05 UTC
We found a much more elegant solution :

edit the kickstart to move to this line :
# System authorization information
auth --useshadow --passalgo=md5 --enableldap --enableldapauth --ldapserver=ldap://ldap1.doe.com/,ldap://ldap2.doe.com/ --ldapbasedn=dc=doe,dc=com

then add this in post-install :
/bin/sed -i '/nss_base_passwd/d' /etc/ldap.conf
echo "nss_base_passwd ou=User,dc=doe,dc=com?one" >> /etc/ldap.conf

Comment 6 Fabien Dupont 2009-06-29 10:51:02 UTC
I have exactly the same problem, but none of those steps work. I have FC11 with latest updates. User can authenticate in console mode, but not with gdm. Authentication is configured to use LDAP.

Here's my /etc/pam.d/password-auth :

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

Comment 7 Fabien Dupont 2009-06-29 13:00:45 UTC
I had included a typo in my config. Everything works fine.
Sorry for bugging you.

Comment 8 sharad 2017-12-27 17:42:36 UTC
(In reply to Fabien Dupont from comment #7)
> I had included a typo in my config. Everything works fine.
> Sorry for bugging you.

i too have the same issue 
can you suggest me the resolution?
or proper config file ?