Created attachment 668383 [details] Bziped pam.d directory Description of problem: First of all I am very pleased with the enterprise login option available in user accounts. And it works great. Only trouble I have is that, by default, entering username requires to be in the following format: DOMAIN\user.surname Backslash is giving me headaches with sendmail and mutt and it is a lot easier to login and generally work when it is sufficient to just type user.surname as username. I've remembered the assume_default_domain (or similar) option in samba and I've tried to find a equivalent option in sssd and found it. So when I set use_fully_qualified_names = False in sssd.conf everything works as expected. I can send mail to user with just mail user.surname and can read mail with mutt etc. The problem is that lightdm, sshd and xscreensaver doesn't respect this and I still have to enter username in the DOMAIN\user.surname format (with xscreensaver that's not possible at all since it gives me just the option to enter password). Here is the relevant output: xscreensaver: pam_sss(xscreensaver:auth): authentication failure; logname= uid=459001114 euid=459001114 tty=:0.0 ruser= rhost= user=user.surname xscreensaver: pam_sss(xscreensaver:auth): received for user user.surname: 4 (System error) And for lightdm: lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=user.surname lightdm: pam_sss(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=user.surname lightdm: pam_sss(lightdm:auth): received for user user.surname: 4 (System error) The same output goes for sshd. When I enter username as DOMAIN\user.surname I can login with lightdm and ssh: lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=DOMAIN\user.surname lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=DOMAIN\user.surname lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm lightdm: pam_unix(lightdm:session): session opened for user DOMAIN\user.surname by (uid=0) Also I have a problem with crontab, I can't list cronjobs with the following message: You (user.surname) are not allowed to access to (crontab) because of pam configuration. I will attach relevant pam configuration files. su - user.surname however works Version-Release number of selected component (if applicable): Name : sssd Arch : x86_64 Version : 1.9.3 Release : 1.fc18 Fedora 18 Xfce spin How reproducible: Always Steps to Reproduce: 1. Set use_fully_qualified_names = False in sssd.conf 2. Reboot 3. Try to login without DOMAIN\ prefix in username Actual results: Lightdm reports to check password Expected results: Lightdm should start xfce4 session for user Additional info: If there is any additional information that could help, please let me know. Here is my sssd.conf [sssd] domains = DOMAINX config_file_version = 2 services = nss, pam [nss] default_shell = /bin/bash [domain/DOMAINX] auth_provider = ad simple_allow_users = user.surname ad_domain = domainx.xxx.xxx krb5_realm = DOMAIN.XXX.XXX case_sensitive = False enumerate = False chpass_provider = ad re_expression = (?P<domain>[^\\]+)\\(?P<name>[^\\]+) cache_credentials = True id_provider = ad full_name_format = %2$s\%1$s krb5_store_password_if_offline = True access_provider = simple use_fully_qualified_names = False fallback_homedir = /home/%d/%u Sorry about the bziped file, didn't want to spam for most of the files in pam.d
We should probably be at least printing a better error message than System Error. Can you try putting debug_level=10 into the [pam] and [domain/DOMAINX] sections, restart the SSSD and attach the files (sanitized if needed) /var/log/sssd_pam.log, /var/log/sssd/sssd_DOMAINX.log and /var/log/sssd/krb5_child.log
At the moment all I could've tried is ssh to the box - tommorow I will post output from lightdm and xscreensaver sshd[10892]: Invalid user user.surname from xxx.xxx.xxx.xxx sshd[10892]: input_userauth_request: invalid user user.surname [preauth] sshd[10892]: pam_unix(sshd:auth): check pass; user unknown sshd[10892]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx sshd[10892]: Failed password for invalid user user.surname from xxx.xxx.xxx.xxx port xxxxx ssh2 sshd[10892]: pam_unix(sshd:auth): check pass; user unknown krb5_child.log is empty Attaching sssd_pam.log and sssd_DOMAINX.log
Created attachment 671537 [details] sssd_pam.log
Created attachment 671539 [details] sssd_DOMAINX.log
When I comment out the: re_expression = (?P<domain>[^\\]+)\\(?P<name>[^\\]+) parameter I can login just fine without domain prefix. I really don't know why I haven't thought of this one before, I guess suspecting PAM was on the top of the list. It is already mentioned in the man pages that “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))” allows all three (will try later) logon formats (username, username@domain and DOMAIN\username) but by default sssd is configured to accept only DOMAIN\username. It would be nice if the enterprise login had an option to choose whether you want to use fqdn and to make sure re_expression by default allows all three login formats. Jakub, thank you very much. I'll be happy to provide any information that could be useful before closing this bug report...
Enhancements to the regex schemas are being tracked in https://fedorahosted.org/sssd/ticket/1648 and https://fedorahosted.org/sssd/ticket/1468