Bug 505319 - FC11 GDM can't authenticate users from LDAP
FC11 GDM can't authenticate users from LDAP
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: gdm (Show other bugs)
11
All Linux
low Severity urgent
: ---
: ---
Assigned To: jmccann
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-11 09:43 EDT by stef
Modified: 2017-12-27 12:42 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-11 10:38:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
modified files for LDAP authentication (4.03 KB, application/x-compressed-tar)
2009-06-11 09:52 EDT, stef
no flags Details

  None (edit)
Description stef 2009-06-11 09:43:11 EDT
Description of problem:

We have a LDAP with accounts for our users, until now there never was problem, but with FC11 GDM is unable to authenticate the users.

It works fine if the users logs in from a console.

Version-Release number of selected component (if applicable):

Fedora Core 11
pam-1.0.91-6
nss_ldap-264-2
openldap-2.4.15-3
gdm-2.26.1-10

How reproducible:

Always

Steps to Reproduce:
1.configure your LDAP server
2.try to authenticate with a user on GDM
3.
  
Actual results:

GDM returns "Unable to authenticate user"

Expected results:

user logs in

Additional info:
Comment 1 stef 2009-06-11 09:47:07 EDT
extract from /var/log/secure :

Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: pam_unix(gdm-password:auth): check pass; user unknown
Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= 
Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test
Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test
Jun 11 14:57:24 pmp2412 pam: gdm-password[4052]: gkr-pam: error looking up user information for: etu-test
Jun 11 14:57:26 pmp2412 pam: gdm-fingerprint[4053]: pam_succeed_if(gdm-fingerprint:auth): error retrieving user name: Conversation error
Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: pam_unix(gdm-password:auth): check pass; user unknown
Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= 
Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test
Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test
Jun 11 15:04:48 pmp2412 pam: gdm-password[4074]: gkr-pam: error looking up user information for: etu-test
Jun 11 15:04:51 pmp2412 pam: gdm-fingerprint[4072]: pam_succeed_if(gdm-fingerprint:auth): error retrieving user name: Conversation error
Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: pam_unix(gdm-password:auth): check pass; user unknown
Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= 
Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test
Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: pam_succeed_if(gdm-password:auth): error retrieving information about user etu-test
Jun 11 15:14:31 pmp2412 pam: gdm-password[4917]: gkr-pam: error looking up user information for: etu-test
Jun 11 15:14:33 pmp2412 pam: gdm-fingerprint[4918]: pam_succeed_if(gdm-fingerprint:auth): error retrieving user name: Conversation error
Comment 2 stef 2009-06-11 09:50:31 EDT
just if you wonder

# id etu-test
uid=2352(etu-test) gid=513(Domain Users) groups=513(Domain Users),30031(ETUEET),30046(GENSI),30273(EtuEetA1)
Comment 3 stef 2009-06-11 09:52:15 EDT
Created attachment 347399 [details]
modified files for LDAP authentication
Comment 4 stef 2009-06-11 10:37:15 EDT
I could grab a colleague engineer and we found the root of the problem.

there are new file introduced at some point between FC8 and FC11, to succeed you need to modify the following files :

/etc/pam.d/fingerprint-auth
add "account sufficient pam_ldap.so"

/etc/pam.d/password-auth
add "auth sufficient pam_ldap.so use_first_pass"
Comment 5 stef 2009-06-12 08:43:05 EDT
We found a much more elegant solution :

edit the kickstart to move to this line :
# System authorization information
auth --useshadow --passalgo=md5 --enableldap --enableldapauth --ldapserver=ldap://ldap1.doe.com/,ldap://ldap2.doe.com/ --ldapbasedn=dc=doe,dc=com

then add this in post-install :
/bin/sed -i '/nss_base_passwd/d' /etc/ldap.conf
echo "nss_base_passwd ou=User,dc=doe,dc=com?one" >> /etc/ldap.conf
Comment 6 Fabien Dupont 2009-06-29 06:51:02 EDT
I have exactly the same problem, but none of those steps work. I have FC11 with latest updates. User can authenticate in console mode, but not with gdm. Authentication is configured to use LDAP.

Here's my /etc/pam.d/password-auth :

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
Comment 7 Fabien Dupont 2009-06-29 09:00:45 EDT
I had included a typo in my config. Everything works fine.
Sorry for bugging you.
Comment 8 sharad 2017-12-27 12:42:36 EST
(In reply to Fabien Dupont from comment #7)
> I had included a typo in my config. Everything works fine.
> Sorry for bugging you.

i too have the same issue 
can you suggest me the resolution?
or proper config file ?

Note You need to log in before you can comment on or make changes to this bug.