Description of problem: We have a LDAP with accounts for our users, until now there never was problem, but with FC11 GDM is unable to authenticate the users. It works fine if the users logs in from a console. Version-Release number of selected component (if applicable): Fedora Core 11 pam-1.0.91-6 nss_ldap-264-2 openldap-2.4.15-3 gdm-2.26.1-10 How reproducible: Always Steps to Reproduce: 1.configure your LDAP server 2.try to authenticate with a user on GDM 3. Actual results: GDM returns "Unable to authenticate user" Expected results: user logs in Additional info:
extract from /var/log/secure : Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: pam_unix(gdm-password:auth): check pass; user unknown Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: gkr-pam: error looking up user information for: etu-test Jun 11 14:57:26 pmp2412 pam: gdm-fingerprint[4053]: pam_succeed_if(gdm-fingerprint:auth): error retrieving user name: Conversation error Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: pam_unix(gdm-password:auth): check pass; user unknown Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: gkr-pam: error looking up user information for: etu-test Jun 11 15:04:51 pmp2412 pam: gdm-fingerprint[4072]: pam_succeed_if(gdm-fingerprint:auth): error retrieving user name: Conversation error Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: pam_unix(gdm-password:auth): check pass; user unknown Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: gkr-pam: error looking up user information for: etu-test Jun 11 15:14:33 pmp2412 pam: gdm-fingerprint[4918]: pam_succeed_if(gdm-fingerprint:auth): error retrieving user name: Conversation error
just if you wonder # id etu-test uid=2352(etu-test) gid=513(Domain Users) groups=513(Domain Users),30031(ETUEET),30046(GENSI),30273(EtuEetA1)
Created attachment 347399 [details] modified files for LDAP authentication
I could grab a colleague engineer and we found the root of the problem. there are new file introduced at some point between FC8 and FC11, to succeed you need to modify the following files : /etc/pam.d/fingerprint-auth add "account sufficient pam_ldap.so" /etc/pam.d/password-auth add "auth sufficient pam_ldap.so use_first_pass"
We found a much more elegant solution : edit the kickstart to move to this line : # System authorization information auth --useshadow --passalgo=md5 --enableldap --enableldapauth --ldapserver=ldap://ldap1.doe.com/,ldap://ldap2.doe.com/ --ldapbasedn=dc=doe,dc=com then add this in post-install : /bin/sed -i '/nss_base_passwd/d' /etc/ldap.conf echo "nss_base_passwd ou=User,dc=doe,dc=com?one" >> /etc/ldap.conf
I have exactly the same problem, but none of those steps work. I have FC11 with latest updates. User can authenticate in console mode, but not with gdm. Authentication is configured to use LDAP. Here's my /etc/pam.d/password-auth : #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
I had included a typo in my config. Everything works fine. Sorry for bugging you.
(In reply to Fabien Dupont from comment #7) > I had included a typo in my config. Everything works fine. > Sorry for bugging you. i too have the same issue can you suggest me the resolution? or proper config file ?